Patching Trust

In early 2025, I joined the first cohort of the GitHub Secure Open Source Fund—a program created to help maintainers secure the software they've built. At first, it wasn't a training. It was a déjà vu.

In 2021, Log4shell broke thousands of systems worldwide. It showed me how fragile our technical foundation can be. Everything I had learned back then was brought up again in that training.

GitHub designed the Fund to combine funding, mentorship, and security education in one place.
Over three weeks, maintainers work directly with GitHub’s Security Lab and other experts—learning to threat-model, harden CI/CD workflows, and use tools like CodeQL and Copilot Autofix.
Each project receives funding to invest back into its security roadmap.

I have joined together with Piotr Karwasz, looking for any weak links that might still exist in Apache Log4j.
During this training, we talked a lot. One of the things I said in a reflective moment later appeared in GitHub’s follow-up announcement:

Ignorance is the biggest security hole.
If this training had existed five years ago, maybe Log4Shell wouldn’t be here today.

I still stand by that.
Security is not about paranoia—it’s about humility. It’s about knowing what you don’t know, and learning faster than the next incident can happen.

Before this training, I considered my security knowledge weak.
During the training, I realized it wasn't.
After it, I closed the remaining gaps.
Today, I feel much more confident when it comes to software security.

The Secure Open Source Fund reminded me that security is a collective act.
We are not just patching code. We are also patching trust, line by line.
I’m grateful to GitHub and everyone who built this program.
It’s proof that collaboration and education can be stronger than fear.

→ Read more on GitHub: Securing the supply chain at scale: 71 important open source projects
→ Read: Announcing Github Secure Open Source Fund

Tags: open source, maintainership, security, GitHub, fund