Bootstrap at GitHub Secure Open Source Fund

We represented Bootstrap with Mark Otto at the 2nd session of the GitHub Secure Open Source Fund program, that took place remotely on June 2025.

This program is designed to improve the security and sustainability of Open Source projects, both financially and technically. It brings together maintainers, security experts, and ecosystem partners for three weeks of intensive, hands-on learning. Each week had 3 focused days (around 3 hours in a row) mixing expert-led presentations, collaborative workshops, and office hours with security specialists. Between sessions, we had homework: concrete, project-specific actions to strengthen our codebase, workflows, and processes right away.

As usual, this was done in our spare time, which made the pace intense but still manageable. Thanks to the flexibility of remote participation, we were able to adapt the sessions around our workdays: before work for Mark, and after for me.

What the program covered

The program was structured into 3 thematic weeks, each combining presentations, workshops, and actionable takeaways. The main topics were:

• Threat Modeling: Identifying potential security risks before they happen.
• Incident Response Plan: A structured plan to quickly detect, contain, and recover from security breaches.
• Secure Supply Chain: Ensuring all software and components come from trusted, verified sources.
• Advanced Tooling: Using GitHub's features and automation to strengthen security defenses.
• Community Security: Collaborating and sharing knowledge to protect the broader ecosystem.

If you work in a big corporation, these topics might sound familiar: but here, the focus was entirely on GitHub tools and environments. That’s not always the case in our own organizations, where tooling and processes can be very different.

What we found most valuable

Every module had value, but for Bootstrap the most impactful lessons were the ones with immediate effect or lasting organizational relevance.

Because our core team is small and changes over time, we need security practices that are:

• Easy to understand
• Simple to apply remotely and autonomously
• Clearly documented

One key takeaway: have an Incident Response Plan in place before anything happens. Without it, the first moments of a real incident can easily turn into panic and confusion, especially in different timezones without everybody available when it happens.

We also learned a lot from sessions on Threat Modeling, securing GitHub Actions, exploring GitHub security features, and using other tools to improve our security posture.

But beyond the technical takeaways, the most valuable part was the community aspect: meeting other maintainers, exchanging experiences, and learning from each other’s successes and struggles. It was a good reminder that we’re not alone: the Open Source community is a strong support network.

In this second session, participants came from many well-known projects, including Express.js, JUnit, nvm, Oh My Zsh, and many more (53 projects in total). You can see the full list in GitHub’s blog post.

How Bootstrap is improving

During the program, we implemented small several changes:

• Performed an SBOM analysis of our dependencies to spot vulnerabilities
• Enabled Private Vulnerability Reporting, so users can report security issues privately
• Experimented with fuzzing on our codebase to detect potential problems

We’ve also started drafting an Incident Response Plan, begun discussing a Threat Model for Bootstrap, reintegrated the OSS Scorecard into our workflow, and pinned GitHub Actions to specific SHA versions.

There’s still a lot to do, but we now feel more confident in our ability to maintain Bootstrap securely and sustainably. Over the coming months, we’ll continue refining our build processes, documentation, and testing to make Bootstrap more secure for everyone.

A great time collaborating

On a personal note, it was great to have some focused time with Mark to talk and plan for Bootstrap’s future. We rarely get the chance to do that, so these moments felt especially valuable.

It was refreshing to step away from the constant flow of community issues and PRs, and think more strategically. Even if it reminded us of the never-ending to-do list: bug fixes, “new” features still waiting to ship, ideas we’ll probably never have time to explore, and things that were once innovative but that we never had the chance to ship and aren’t so innovative anymore ¯\_(ツ)_/¯.

Like many maintainers, we face the reality of limited spare time, all while juggling demanding day jobs: in my case, working on Design Systems that are often more advanced than Bootstrap.

It can be frustrating at times, but as long as we’re moving forward, it’s still progress, and that’s a win for the Bootstrap community :) Keep pushing!

Thank you

A huge thank you to Mark Otto , the funding and ecosystem partners who made this program possible, the GitHub team (shout-out to Gregg Cochran for being such a great host) and security experts for their guidance, and all the other maintainers for their insights and camaraderie.

If you maintain an Open Source project, I highly recommend applying for a future session. It’s an investment that pays off in resilience, trust, and peace of mind.

Here's the official link to GitHub's blog post: https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects/