What you receive

You are not buying software or a dashboard. You receive a structured counterpart for your open source supply chain: documented results, audit-ready evidence, and operational intervention capability where you are currently blind.

Level 1: Your concrete deliverables #

Security reports per incident #

Every finding is documented: discovery, assessment, action, result. You receive a completed report that you can present to your auditor, your internal audit team, or your supervisory authority.

Compliance documentation #

Audit-ready evidence with legal references — tailored to DORA, NIS2, or CRA. No generic report, but documentation that auditors understand and accept.

SBOM analysis and updates #

Your SBOM is continuously analysed, evaluated, and checked for currency. OTTRIA does not create SBOMs but evaluates your existing software bills of materials and identifies risks, outdated components, and critical dependencies within them.

Risk overview #

Regular assessment of all projects in your SBOM: criticality, maintainer status, activity level, abandonment probability. You see at a glance where action is needed.

Early warnings #

For projects where OTTRIA is involved as a steward, you learn about security issues weeks to months before the public CVE disclosure.

Remediation protocols #

Complete documentation: what was done when, by whom, with what result. The foundation for your internal traceability and external auditability.

Open source analysis protocols #

Complete protocols of all open source analyses performed: which components were reviewed, which methods applied, which results achieved. Audit-ready evidence documenting that the legally required analyses are being performed systematically.

Decision templates #

When action is needed, you receive not an alert list but prepared options with risk assessment. You decide — on an informed basis.

Level 2: What OTTRIA does for that #

Monitoring and detection #

• Continuous CVE scanning of all components in your SBOM
• Silent fix detection — identification of the four to eleven silently fixed vulnerabilities per registered CVE that no scanner finds
• Abandonment monitoring and project health analysis
• Tracking of transitive dependencies not shown in your direct inventory
• Monitoring of licence changes and project deletions
• Detection of operationally threatening bugs, as required by DORA

Intervention and remediation #

• Coordinate upstream fixes or create them ourselves — including for projects without an active maintainer
• Provide patches for abandoned projects
• Backport security-relevant fixes
• Maintainer coordination across project boundaries
• Protective measures against project deletion and unexpected licence changes

Documentation and evidence #

• Audit-ready reports with concrete legal references (DORA Art. X, NIS2 Art. Y, CRA Annex I)
• Evidence packages for auditors and supervisory authorities
• Risk documentation and complete remediation history
• Regular licence reviews of all SBOM components

Ecosystem support #

• Bug bounty programmes, CI/CD infrastructure, hardware, and training for all projects in your SBOMs
• Not only for prestigious core projects, but for every dependency that keeps your software running

Level 3: Measurable impact #

Unpatched vulnerabilities remain open. Without active upstream work, vulnerabilities are reported but not fixed. OTTRIA reduces this risk through active fixes and coordinated upstream work.

Zero-day vulnerabilities arrive without warning. Weeks pass between discovery and public disclosure. OTTRIA delivers early warnings and prepared measures before the vulnerability becomes public.

Individual maintainers drop out, projects stall. Critical dependencies often depend on a single person. OTTRIA monitors every critical dependency systematically and maintains the ability to act when someone drops out.

Audit evidence is missing or incomplete. Without structured documentation, every audit fails. OTTRIA delivers complete, audit-ready documentation with concrete legal references.

Abandoned projects become uncontrolled risks. When nobody maintains them anymore, the risk grows daily. OTTRIA takes over maintenance or provides patches.

Dependency on US tool vendors creates strategic risks. When a vendor changes its terms, European companies are left without alternatives. OTTRIA is a European provider with operational capability in the code.

Grant advisory #

When security measures need to be implemented, various funding programmes are available that can cover part of the costs. Many companies do not know that investments in cybersecurity and open source governance can be partially funded through state, federal, or EU grants. OTTRIA advises you individually on the funding options that may be relevant to your situation. Our network includes specialised grant advisors — a rare profile in the open source world — who support you from identifying suitable programmes through to accompanying the application process. This lowers the barrier to entry and enables you to meet regulatory requirements more quickly and cost-effectively.

Digital sovereignty as a service dimension #

Digital sovereignty is not a marketing term. It is the ability to act independently — even when upstream fails, a maintainer quits, or a tool vendor changes its terms.

OTTRIA delivers this sovereignty operationally:

• European provider — no dependency on US platforms or tool vendors
• Active participation instead of passive consumption — OTTRIA works in the code, creates patches, reviews commits, not just on a dashboard
• Ability to act in a crisis — when a critical project is abandoned, deleted, or compromised, OTTRIA can intervene rather than just report
• Supply chain independence — mirrors, forks, patches: the ability to keep your software supply chain running even when upstream fails

What we do not do #

No access to your systems. This is a deliberate security decision. OTTRIA works exclusively in the open source world, not in your infrastructure. We are not an additional attack vector.

No assumption of liability. This is not possible from a regulatory perspective. The responsibility remains with you — as stipulated by DORA, NIS2, CRA, and the Product Liability Directive. OTTRIA reduces your risk and delivers the evidence. The decisions are yours.

No guaranteed resolution times. How long a fix takes in an open source project cannot be reliably predicted. We respond as quickly as possible and document every step. We cannot promise resolution times because they depend on the complexity of the problem.

No work outside the open source world. Our focus is our strength. For proprietary software, network security, or system integration, we recommend partners from our network.

The service cycle #

Here is what the collaboration looks like:

1. You submit your SBOM.
2. OTTRIA matches all components within one day and begins ongoing monitoring.
3. When a finding or vulnerability is detected, analysis, assessment, and action follow.
4. You receive a report with documentation and recommended action.
5. You decide and file.
6. Monitoring continues — continuously, not as a one-off project.

Book an initial consultation and learn what you will concretely receive