Conference: Scaling Supply Chain Security for Open-Source (OS) Ecosystems: An Interdisciplinary Conference for OS Supply Chain Security

Award ID: 2528836

The goal of this conference is to advance the security, sustainability, and inclusivity of open-source (OS) ecosystems by facilitating interdisciplinary collaboration and dialogue. Through participation from academic researchers, industry experts, and community contributors, the conference aims to foster convergence across technical, social, and policy domains to address key challenges in OS development. Key outcomes will include a comprehensive post-conference report that is submitted for publication. This report will distill findings from the event into actionable tools, performance metrics, and design strategies for OS software security, borrowing from successful approaches in adjacent fields. To support practical implementation, the conference will also generate an openly available tutorial or checklist that guides OS developers through secure design practices. The video-recorded keynote sessions, annotated bibliographies, and edited transcripts will be made accessible to increase engagement, especially among students and early-career professionals. Together, these efforts are intended to strengthen the OS developer pipeline, inform future research, and support a more secure and collaborative open-source ecosystem. The Cyber Policy Initiative (CPI), in collaboration with the Harris School of Public Policy, will lead the planning and execution of a dynamic, two-day conference focused on open-source software and cybersecurity. Although much attention has been paid recently to the security of Open-Source Software (OSS) supply chains, questions remain concerning the behavioral and financial incentives for those people (typically volunteers) that work tirelessly to secure OS ecosystems. As such, the conference will conduct a targeted investigation into the conditions for successfully incentivizing a secure OS environment. Topics to be addressed include how artificial intelligence influences how we think about incentivizing the secure development of AI OS, and what parallels exist between security for critical notes in a traditional supply chain and critical notes in the OSE supply chain. The discussion of these questions identifies open-source challenges and bolsters cyber-resiliency by providing adequate behavioral and economic incentives. Research focused on developer incentives for securing OSS and OS ecosystems can intersect directly with expertise from several fields, such as psychology, behavioral economics, cybersecurity, cryptography, and so forth. By examining the interplay between behavioral, economic, and technological considerations, this conference can uncover important lessons that can improve the approach to incentivizing secure OSE for both producers and consumers. The conference can also help replicate appropriate metrics or evaluation methods, as well as critical tools to support dependency transparency and accountability. Ultimately, the OS ecosystem writ large will benefit from a multidisciplinary approach and from engagement across typically segmented communities. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

NSF Program Director: Florence Rabanal