deenx-default

About OTTRIA

The Open Source Trust, Threat and Risk Intelligence Alliance #

We don't come from the consulting world. We come from the open source world.

OTTRIA was founded because a gap exists that nobody is closing. New EU legislation — DORA, NIS2, the Cyber Resilience Act, the new Product Liability Directive — makes companies responsible for their entire software supply chain. A large part of that supply chain consists of open source software. And for this software, there is no contractual partner, no SLA, and often not even a point of contact.

OTTRIA closes this gap. We are the operational partner for the open source supply chain — with documented processes, measurable results, and audit-ready evidence.

Two missions #

Mission 1: Make open source governance possible for enterprises. Enterprises need structured access to their open source supply chain. Not just visibility through scanners, but actual capability to act: fixing vulnerabilities, monitoring projects, documenting risks, standing up to auditors.

Mission 2: Strengthen the open source world. Open source is the foundation of the digital economy. We invest in the projects our customers depend on — all projects, not just the prestigious ones. Bug bounties, hardware, CI/CD, code contributions, holiday cover for maintainers. Because stable projects benefit everyone.

These two missions are interdependent. Enterprises benefit from stable, secure projects. Projects benefit from concrete support. And the entire ecosystem becomes more resilient.

The founder #

Torsten Zühlsdorff is a FreeBSD committer (tz@FreeBSD.org) and member of the FreeBSD ports-secteam with over 1,000 commits in one of the oldest and most security-critical open source projects in the world. He knows from first-hand experience how open source projects work — and where they reach their limits.

Beyond his work at FreeBSD, Torsten has contributed to dozens of open source projects — from development and debugging to documentation, issues, discussions, and code reviews. Among the most well-known are PHP, LibreOffice, and PostgreSQL. He has also founded and maintained his own open source projects, including APHPUnit and SQL 2 Func. He does not know the maintainer reality from hearsay — he lives it.

This experience is the foundation of OTTRIA. We understand the community because we are part of it. And we understand enterprise requirements because we have read the legislation — not the summaries, but the actual legal texts.

The network #

OTTRIA works with a network of over 650+ specialists — developers, security researchers, committers, and maintainers from various open source projects and technology domains. Beyond the technical specialists, the network also includes supporting professions: grant advisors — a rare and particularly valuable profile in the open source world —, lawyers, community managers, and other roles. This network enables us to cover even specialised projects and rare technology stacks.

No single company can maintain expertise in every programming language and every framework. Our network can.

Open Source Steward #

OTTRIA voluntarily registers as an "open source software steward" under the Cyber Resilience Act. This is not a marketing decision — it is a legal commitment to fostering open source development.

As a steward, we are obligated to maintain a documented cybersecurity strategy, actively manage vulnerabilities, and cooperate with European market surveillance authorities. For our customers, this means: a partner that is legally bound to act in their interest.

Ownership and independence #

OTTRIA is a wholly owned subsidiary of P. Variablis GmbH. The company is owner-managed, 100% owned by the founder, independent, and not for sale.

This means: no investors pushing for an exit. No parent corporation dictating priorities. No conflicts of interest. We make our decisions exclusively in the interest of our customers and the open source community.

Startup-honest #

We are a young company. We do not yet have ten years of corporate history and a hundred reference customers. What we have is publicly verifiable work.

Our commits at FreeBSD — public. Our own open source projects — public. Our patches and reviews — public. The legal analyses on which our work is based — public.

We don't believe in inflated case studies and polished marketing. We believe in transparency. Many of our future works will be published as open source ourselves — because we practice what we preach.

Our work is publicly verifiable. Check us out.

Want to get to know OTTRIA? Schedule an initial consultation — no obligation and no sales pressure.