Banks form OSERA alliance to harden open-source components

FINOS launched the Open Source Enterprise Resiliency Alliance, a vendor-neutral, member-governed coalition of banks to backpatch and share verified fixes for common open-source libraries.

FINOS, the financial-services arm of the Linux Foundation, announced the Open Source Enterprise Resiliency Alliance (OSERA) at the Open Source in Finance Forum. The vendor-neutral, member-governed coalition was created by banks including Deutsche Bank, Goldman Sachs, Morgan Stanley, Royal Bank of Canada and TD Bank Group to harden commonly used open-source components and share fixes across the sector.

The announcement follows a member-only pilot in which Moderne backpatched critical Java framework versions. Those backpatched artifacts were published to a Sonatype Nexus repository hosted by FINOS. When upstream fixes were not possible, the group maintained public forks governed by OSERA to deliver security updates.

OSERA aims to speed the production of patches and their compliant consumption inside financial firms. The alliance plans to provide time-limited backpatches, typically maintained for 12 to 24 months, and to contract vendors under service-level agreements to carry fixes forward. The group also intends to create machine-readable evidence packages to map remediation and consumption to EU rules including DORA, NIS2 and the Cyber Resilience Act, whose duties start in 2026.

FINOS representatives pointed to a rise in automated scanners and large language models that shorten the time between discovery and exploitability of vulnerabilities. Gabriele Columbro, executive director at FINOS, warned that “AI has collapsed the time to discover serious vulnerabilities from weeks of expert effort to minutes of automated scanning,” and said the sector should expect many new CVEs across current and older versions institutions still run.

Pilot results presented at the forum included four high-risk Java frameworks that were backpatched and initially released in a member-only repository. Three member banks validated an end-to-end flow that allowed releases to be consumed through corporate proxies without changes to existing continuous integration tooling. The pilot also produced a shared “Risk Navigator” for prioritization, agreed artifact-naming conventions and VEX assertions to document vulnerability status.

Organizers described OSERA as a global, neutral forum where members pool effort and costs to address vulnerabilities in exact component versions used by many firms. The alliance positioned itself as a downstream complement to cross-industry efforts such as Akrites and said it will collaborate with the Open Source Security Foundation on remediation standards. OSERA leaders emphasized remediation will remain open, verifiable and portable rather than creating new vendor lock-in.

Dov Katz, managing director and distinguished engineer at Morgan Stanley, said OSERA aims to align the industry around practical standards for how open-source fixes are produced, validated and consumed so dependencies can be secured once and adopted broadly. Brian Fox, co-founder and CTO of Sonatype, commented that finding vulnerabilities has become easier while proving they have been fixed across a regulated software estate remains difficult.

FINOS stated OSERA is open to new enterprise participants and maintainers worldwide. The group said the initiative was incubated within financial services to meet strict regulatory requirements but is available to any enterprise that relies on commonly used open-source infrastructure.

Articles by this author