Open Source at OTTRIA

The bridge between open source community and enterprise world #

OTTRIA — the Open Source Trust, Threat and Risk Intelligence Alliance — stands between open source projects and companies. We do not profit from open source — we secure it.

Open source is the foundation of the digital economy. Millions of software projects, maintained by dedicated people, often without budget, without contract, without safety net. Companies worldwide build on it — and now bear the legal responsibility for it.

OTTRIA is the bridge between these two worlds. We come from the open source community and understand the reality of maintainers. At the same time, we know the regulatory requirements that DORA, NIS2, and the Cyber Resilience Act impose on companies. Our task is to bring both sides together — without instrumentalising one for the other. Like a bridge, we bear the load from both shores: we translate the requirements of companies into support for the community and the results of the community into audit-ready evidence for companies.

The regulatory pressure comes from both sides #

The CRA defines obligations on the supply side — for stewards and manufacturers. But the far greater pressure arises on the demand side: with the companies that use open source.

DORA obliges financial institutions to conduct open source analyses as a testing method (Art. 25(1) DORA) and to actively manage all ICT third-party risks (Art. 28(1-3) DORA). NIS2 makes supply chain security a mandatory measure for 18 sectors of critical infrastructure (Art. 21(2)(d) NIS2) — including the assessment of the security processes of all suppliers. The new Product Liability Directive makes software a product subject to liability for the first time (Art. 4 Directive 2024/2853), with facilitation of burden of proof for injured parties (Art. 12 Directive 2024/2853).

This pressure flows directly to the projects: companies will send compliance questionnaires, demand security processes, and expect documented response times — from maintainers who have neither budget nor capacity for this. OTTRIA absorbs this pressure.

What sets us apart #

Others invest in prestigious core projects. We invest in all projects from our clients' SBOMs.

When a company has 800 open source components in its software bill of materials, we do not care only about the five best-known ones. We care about all 800 — including the projects that hardly anyone knows but that are nonetheless critical.

Concretely, this means: we promote, support, and protect the small projects too — the ones that appear in no catalogue, for which no enterprise support exists, and that are nonetheless embedded in thousands of supply chains.

Who we are here for #

Individual projects and maintainers #

You maintain an open source project with a small team? You carry the responsibility but lack resources? We help concretely — with hardware, CI/CD infrastructure, code contributions, tests, and more.

Learn more: support for individual projects

Foundations and large-scale projects #

The Cyber Resilience Act introduces the role of the "open source software steward". Foundations can inadvertently fall into this role. We take over the associated obligations — European, in your language, without foreign law.

Learn more: stewardship for foundations

Companies that use open source #

You have an SBOM with hundreds of components and need someone to take care of the supply chain? We monitor, fix, and document — so you can withstand auditors and supervisory authorities.

Learn more: services for companies

What we give back #

• Bug bounties for projects that have no budget of their own
• Hardware and CI/CD infrastructure for projects that need it
• Code contributions, reviews, and tests in the projects of our clients' SBOMs
• Holiday cover for maintainers who need a break
• Talent development for future maintainers and security researchers
• Training in secure development and vulnerability management

Transparency #

Everything we do is open source — patches, reviews, issues, SBOMs. We work publicly because we are convinced that transparency is the foundation of trust.

Our commits, our issues, our patches — everything is publicly visible. If you want to know what OTTRIA actually delivers, look at our work.

The steward advantage #

OTTRIA voluntarily registers as an "open source software steward" under the Cyber Resilience Act (Art. 3 No. 14 CRA). This is not a marketing decision but a legal commitment: we must demonstrate a documented cybersecurity strategy, operate vulnerability management, cooperate with market surveillance authorities, and comply with reporting obligations (Art. 24 CRA). These obligations go beyond what a commercial service provider would voluntarily commit to.

For projects, this means: we are legally obliged to support your development sustainably. For companies, this means: we receive security reports weeks to months before public disclosure — and can prepare fixes before the vulnerability becomes known.

What exactly an Open Source Steward is and what it means for you — read our steward page.

You have an open source project and are looking for support? You are a foundation and want to discuss stewardship? Contact us.