The Linux Foundation | 26 June 2026
-Jun-26-2026-04-13-19-2591-PM.png?width=911&height=477&name=1200x628%20(1)-Jun-26-2026-04-13-19-2591-PM.png)
Spearheaded by Moderne and piloted by FINOS institutional members, the Open Source Enterprise Resiliency Alliance mutualises open source “backpatching”, promotes vendor neutral industry wide remediation standards and accelerates evidence-based compliant open source consumption at scale
LONDON — 25 June 2026 — At the Open Source in Finance Forum today, FINOS, the financial-services arm of the Linux Foundation, announced its intent to form an Open Source Enterprise Resiliency Alliance (“OSERA”) a global, vendor-neutral, member-governed coalition to strengthen the industry’s supply chain resiliency. OSERA will strengthen the open source components that underpin the sector by securing them through a vendor-neutral, upstream aware approach and to accelerate their compliant consumption at scale.
The announcement follows a successful Member-only end-to-end pilot phase by Deutsche Bank, Goldman Sachs, Morgan Stanley, Royal Bank of Canada, and TD Bank Group, with critical Java projects versions hardened by Moderne and released on a Sonatype Nexus repository a neutrally hosted by FINOS.
Incubated in financial services where the regulatory bar is highest, OSERA seeks to serve any enterprise, building on the strong guiding principles of openness and collective responsibility set out by its founding members.
As part of the Linux Foundation response to the new wave of AI-Enabled open source supply chain security threats, OSERA complements the recently announced Akrites, the cross-industry effort enabling coordinated disclosure and upstreaming. As financial-services downstream complement to Akrites, OSERA will collaborate with Akrites in the upstreaming process and, together with the Open Source Security Foundation, to represent the voice of the industry in defining remediation standards.
The vision for OSERA
Financial institutions depend on strikingly common open source dependencies and versions, so a flaw in one is a risk to all. Rather than each firm spending resources to address the same vulnerability on the same package alone, the alliance will mutualize that work in a neutral venue, while providing tools for accelerated consumption at the speed of AI. Key benefits include:
• Operational resilience. Known vulnerabilities in the exact versions firms still run are fixed once and consumed by all, faster than any firm could alone.
• Lower, shared cost. A recurring single-firm “hardening tax” is replaced with one openly governed programme, funded through a pooled model — pay for what you depend on.
• Regulatory readiness. A shared, auditable way to meet DORA, NIS2 and the EU Cyber Resilience Act, whose duties begin in 2026.
• No new lock-in. Remediation stays open, verifiable and portable — a neutral, sovereign alternative to depending on any single vendor.
“AI has collapsed the time to discover serious vulnerabilities from weeks of expert effort to minutes of automated scanning, and the sector should expect a flood of new CVEs — across both current and the older versions institutions still run,” said Gabriele Columbro, executive director, FINOS. “We started exploring mutualised backpatching and adopting common supply chain standards in late 2025, now AI has made this approach urgent at scale.”
What the pilot stage has already proven
During the pilot effort FINOS members have successfully tested a working end-to-end pipeline. Results include:
• Four critical Java frameworks backpatched. Widely used high risk versions were patched and initially released in a member-only repository. When upstreaming is not a viable option, forks are maintained as a public fork governed by the alliance.
• End-to-end flow, validated by three member banks. Releases consumed through firms' corporate proxy, validated end-to-end, with no change to CI tooling.
• Shared prioritisation and industry standard-setting. A shared “Risk Navigator” is available for firms to collectively prioritize backpatches, with agreed artifact-naming conventions and VEX assertions.
• A predictable “platform” model. Backpatches are meant to be time-bound (12/24 months) and maintained by vendors with strong upstream credentials under SLAs contracted by the alliance.
Two sides of the same coin: standardized remediation and regulated consumption at scale
Following the recent rise of AI-aided cyber threats, a wave of open source remediation efforts is forming across the public and private sector, including vendor coalitions, commercial vulnerabilities clearinghouses and open source LTS vendors. Each is valuable, but independently they risk creating fragmentation, new lock-ins and systemic concentration risks.
OSERA seeks to keep the remediation of shared, non-differentiating infrastructure in an open, standard based, vendor-neutral layer, so a fix is verifiable and consumable whoever produced it — vendors are partners, not gatekeepers.
And while most of the industry’s attention has been so far on producing fixes, for regulated firms evidence-based consumption at scale in complex and regulated operating environments is equally critical to effectively manage supply chain risk.
“At the scale large financial institutions operate, producing fixes is only half the challenge - consuming them reliably across a complex, regulated estate is just as important”, said Dov Katz, Managing Director & Distinguished Engineer, Morgan Stanley. ”OSERA helps align the ecosystem around practical, implementation-led standards for how open-source fixes are produced, validated, and consumed, so critical dependencies can be secured once and adopted broadly in a verifiable way.”
“Ingesting, testing, deploying and proving remediation across a vast regulated software estate is as important as producing the fixes themselves, “ continued Columbro. “OSERA aims to standardize a machine-readable consumption evidence pack mapped to DORA, NIS2 and the EU Cyber Resilience Act, as well as AI-powers tools to upgrade at scale, so “patched, tested, deployed” is provable without a manual fire drill.”
Join OSERA
OSERA is built for the global financial sector and is inviting new enterprise participants and maintainers. To join the FINOS member-only formation stage ahead of launch, contact the team at https://osera.finos.org/#involved or, if you already are a FINOS member, reach out to membersuccess@finos.org.
If you are an individual or a vendor and would like to be considered as a maintainer, propose the project / ecosystem and share your credentials at https://osera.finos.org/#involved.
Supporting quotes
“FINOS gives us a neutral place to collaborate on open-source security, in step with the Linux Foundation and upstream maintainers. Proving the model first, with room to scale globally, is the right way to build something the whole sector can rely on.”
— Peter Thomas, Managing Director & Distinguished Engineer, Deutsche Bank
"AI has compressed vulnerability discovery from weeks to minutes, but fixing the old libraries enterprises depend on hasn't moved. Moderne's deterministic infrastructure makes industrial-scale backpatching possible. Bringing that capability to FINOS lets the financial industry secure these shared dependencies once, for everyone."
— Jonathan Schneider, CEO and co-founder, Moderne
“Frontier LLMs have compressed the time between a vulnerability being discoverable and being exploitable, making it difficult for any institution to keep pace on its own. Coordinating through a neutral, finance-governed alliance is a highly credible way for our industry to respond at the speed this moment demands.”
— Bhupesh Vora, Europe Head of Capital Markets Quantitative & Technology Services, Royal Bank of Canada (RBC)
“Open source supply-chain resilience is a shared responsibility across the whole sector, not just the largest firms. A global, neutral home lets institutions of every size benefit from the same coordinated, evidence-bearing remediation.”
— Mark Paulsen, Head, Open Source Program Office, TD Bank Group
“The OpenSSF community welcomes OSERA and we look forward to further collaborating on financial services grade remediation standards. Only through those, in step with [LF Project], can we ensure upstream-first remediation that strengthens the commons and the emergence of tools and methodologies to upgrade at scale. ”
— Steve Fernandez, General Manager, OpenSSF
“Finding vulnerabilities is getting easier. Proving that they have been fixed across a regulated software estate is not. Financial institutions often depend on the same open source components and the same older versions, which means every firm solving the same problem alone is wasted motion. OSERA gives the industry a neutral way to harden shared dependencies once, consume them safely, and carry the evidence forward.”
— Brian Fox, Co-founder and CTO of Sonatype, Steward of Maven Central
“The open source that underpins finance is shared by the entire world, and securing it is a collective responsibility. After the launch of Akrites, I am excited to see a critical industry like financial services continuing to rise to the challenge in the open with OSERA: this is exactly the kind of collaboration this moment calls for.”
— Jim Zemlin, CEO, The Linux Foundation