Meet four alumni maintainers from the GitHub Secure Open Source Fund, based in Brazil and Germany, who are strengthening the security of critical open source projects. Maintainers from Log4j, GoReleaser, EVCC, and ScanAPI share how they improved security, advanced AI security practices, and how this work benefits the entire open source ecosystem.
Meet the projects
Explore the projects supported by the GitHub Secure Open Source Fund and learn how they’re improving software security worldwide.
Inside the GitHub Secure Open Source Fund
Security impact stories
Bootstrap at GitHub Secure Open Source Fund
Read the post
Highlighted projects
Meet alumni projects who are improving security for the entire ecosystem.
AutoGPT
"The AI-agent ecosystem is safer — and will keep getting safer — because of the Secure Open Source Fund."
Learn more
SciPy
"The program took us from 0 to security scans on every line of code, on every commit, and on every release."
Learn more
CPython
”This program made it possible to enhance Python’s security, directly benefiting millions of developers.”
Learn more
Log4J
"We learned it the hard way: Ignorance is the biggest security hole. If this training had existed five years ago, maybe Log4Shell wouldn’t be here today."
Learn more
Ollama
"The GitHub Secure Open Source Program is a safe space to ask leading experts security questions, and learn how other high-impact projects address similar challenges."
Learn more
Pandas
"This program provided us with the knowledge and tools to handle security risks, enabling us to better protect the millions of users who rely on pandas every day."
Learn more
Frequently asked questions
How many projects are supported by the GitHub Secure Open Source Fund?
The GitHub Secure Open Source Fund currently supports 136 open source projects across security tooling, AI/ML infrastructure, cryptography, developer productivity, and foundational libraries used by millions of developers and organizations around the world.
What are all the projects supported by this fund?
AI and ML frameworks / edge-LLM tooling 🤖
Ollama • AutoGPT/Gravitasml • scikit-learn • OpenCV • CodeCarbon • Zeus • Cognee • CAMEL-AI • Ruby-OpenAI
Front-end and full-stack frameworks / UI libraries 📚
Next.js • Nuxt • Svelte • NativeScript • Bootstrap • shadcn/ui • Path-to-RegExp • WebdriverIO
Web servers, networking, and gateways 🖥️
Node.js • Express • Fastify • Caddy • Netbird
DevOps, build-system, container tooling 🧰
Turborepo • Flux • Colima • bootc • Terra • Warpgate • NixOS/Nixpkgs • Termux • BlueFin
Security frameworks, identity, compliance tooling 🔐
Log4j • ScanCode • CycloneDX (cdxgen) • Cyclonedx-dotnet • ScanAPI • OAuthlib • PGPainless • Zitadel • Veramo • Stalwart • Social-App-Django • Jose • Ente
Developer utilities and CLI helpers 🧑💻
Oh My Zsh • nvm • Cobra • Charset-Normalizer • Viper • API Dash • Stirling-PDF • Libyt • MessageFormat • YAML • qs • Polly • JUnit • CSS-Declaration-Sorter • Wagmi • Electron • Resolve
Data, visualisation, and scientific computing 📊
Matplotlib • Jupyter • Pelias Geocoder • Mathesar • DataJourney • AirQo • ERPNext • PypeIt • LORIS • Mautic • Diesel
What do the companies supported by this fund have to say?
Log4j: We learned it the hard way: Ignorance is the biggest security hole. If this training had existed five years ago, maybe Log4Shell wouldn’t be here today.
Turborepo: Secure Open Source Fund pushed us to specialize our IRP and ship it.
shadcn/ui: Security went from something we should do to something we actively do.