Global banks back alliance to secure open-source code

FINOS launched OSERA, a vendor-neutral alliance to harden open-source components used by major banks after a member-only pilot with Deutsche Bank, Goldman Sachs, Morgan Stanley, RBC and TD.

FINOS announced the Open Source Enterprise Resiliency Alliance (OSERA) at the Open Source in Finance Forum. The group is a vendor-neutral, member-governed coalition intended to produce and share fixes for widely used open-source components across financial firms. The announcement follows a member-only pilot that included Deutsche Bank, Goldman Sachs, Morgan Stanley, Royal Bank of Canada and TD Bank Group.

OSERA will operate as a neutral platform where members can pool effort to backpatch vulnerable packages and then consume those fixes across their estates. During the pilot, Moderne backpatched critical Java project versions and releases were staged in a Sonatype Nexus repository hosted by FINOS. The pilot validated that those releases could be pulled through corporate proxies and integrated without changing existing continuous integration tooling.

Pilot results included four high-risk Java frameworks backpatched and released into a member-only repository. Where upstream fixes were not feasible, governed public forks were maintained. Three banks validated the end-to-end release and consumption path. Members also agreed on shared prioritization tools, artifact-naming conventions and VEX assertions to show vulnerability and remediation status. OSERA plans to maintain backpatches for defined windows, typically 12 to 24 months, and to contract vendors with upstream credentials under service-level agreements to manage those patches.

Organizers framed the work as addressing two linked needs: producing verifiable fixes for older dependency versions that firms continue to run, and proving that those fixes have been tested and deployed across complex, regulated estates. The alliance intends to provide machine-readable evidence packs mapped to the EU’s DORA, NIS2 and the Cyber Resilience Act to help firms and auditors verify remediation. Funding will follow a pooled model so members pay according to what they depend on rather than each firm repeating the same hardening work.

“AI has collapsed the time to discover serious vulnerabilities from weeks of expert effort to minutes of automated scanning,” Gabriele Columbro, executive director of FINOS, noted. He said FINOS began exploring mutualized backpatching in late 2025 and that accelerated automated discovery made coordinated action urgent.

OSERA will work alongside broader cross-industry efforts. Organizers said the alliance will complement Akrites on upstreaming and collaborate with the Open Source Security Foundation on remediation standards. They emphasized that remediation must remain open, verifiable and portable to avoid vendor lock-in or concentration of systemic risk.

Industry participants highlighted operational benefits. Dov Katz, managing director and distinguished engineer at Morgan Stanley, noted that producing fixes is only half the challenge and that consuming them reliably across a complex, regulated estate is equally important. Jonathan Schneider, CEO and co-founder of Moderne, described the company’s deterministic backpatching infrastructure as a way to enable industrial-scale remediation within a neutral forum.

OSERA is inviting new enterprise participants and maintainers to join its formation stage within FINOS.

Articles by this author