OSERA is the Open Source Enterprise Resiliency Alliance: a FINOS initiative helping regulated institutions close patch coverage gaps and operationalize remediation at scale. We help participants prioritize vulnerabilities, sponsor open back-patches, define shared consumption standards, and apply patches from upstream, vendors, and elsewhere - with greater consistency and evidence. Operational resilience, without the lock-in.
The upstream security response layer: coordinated vulnerability disclosure, remediation and upstreaming so fixes can reach open source projects responsibly.
The downstream operationalization layer: prioritization, standards, validation, back-patch sponsorship, vendor alignment, and rollout patterns for regulated enterprises.
The sector runs strikingly similar software — the same core libraries, in the same versions — so a flaw in one is a flaw in all. Incubated in financial services, where the regulatory bar is highest, the model is built to serve any regulated enterprise. Open collaboration is the neutral, sovereign way to provide the shared answer.
of open source dependencies sit unmanaged and outdated — resilience is a consumption problem, not just a patching one.
institutions are confident the components they consume are maintained and current. The rest are the weak links.
is all automation now needs to weaponise a published CVE. The window to apply a known fix has collapsed.
We apply fixes for known CVEs to the exact projects and versions the sector still runs. The source stays open; only the built, participant-ready release sits behind formation participation.
Offered back to the original project wherever it is alive — free and public for the whole community.
The canonical maintained source, fully transparent and auditable — for the cases upstream can't take the fix.
Built, signed artifacts participants consume through their existing proxy — the coordinates they already use, no CI change.
Not a vendor and not a buyers' club — an open ecosystem. Institutions that run open source meet the technology firms with deep upstream expertise that maintain it. No single firm sits in the middle.
FINOS neutral governance · open standards · per-project funding pools
Incubated in financial services — open to any regulated enterprise that runs the same software.
One effort, three constituencies — each with a clear reason to take part.
AI hasn't changed which vulnerabilities exist; it has changed how fast known ones are weaponised. And regulation now makes timely remediation a duty, not a choice.
Automation weaponises a published CVE in hours — but the same fix is still re-created, forked or bought firm by firm.
Supervisors increasingly treat third-party and open source risk as systemic and auditable.
Vulnerability-reporting duties from Sep 2026; full vulnerability-handling obligations from Dec 2027.
Indicative only — workstreams and deliverables are to be agreed by participants during formation.
What to maintain, who produces it, under what SLA — openly governed, upstream-first.
Consuming fixes in time across a regulated estate — and proving it. Risk Navigator is an early reference tool for prioritisation and remediation planning, alongside FINOS CALM and the Open SDLC Controls Framework.
One open standard so a fix from any producer is portable, verifiable and lock-in-free.
Potentially joint with OpenSSF + AkritesProof, not slideware. The formation pilot already maintains these critical Java lines, validated end-to-end by participating banks through existing proxies with the coordinates they already use.
Stop paying for the same fix many times over.
One open channel to the whole sector.
Open to institutions of every size and to technology firms with upstream expertise, anywhere in the world.
Use the form below to propose a project for the alliance to consider maintaining, offer your firm as a tech producer, or share your interest in joining the effort. The FINOS team will follow up with next steps.
Join the funding effort and back the projects you depend on — pooled, per-project, pay for what you use.
Form submissions route to membership@finos.org. Prefer to talk first? Join the weekly Supply Chain Resiliency formation call.
FINOS institutions recognise they each pay, independently, to keep the same open source dependencies alive — forking, patching or buying support for identical CVEs.
Spearheaded by Moderne, the effort is brought to the FINOS community — in the open, not as a product — and a formation group convenes to design a mutualised, openly-governed model.
A working pipeline ships: critical Java lines maintained as backpatch releases and validated end-to-end by participating banks.
The Linux Foundation launches Akrites - the upstream security response and maintenance layer for critical open source. Read the Linux Foundation announcement.
FINOS announces the intent to form OSERA with support from Deutsche Bank, Goldman Sachs, Moderne, Morgan Stanley, RBC, Sonatype, and TD Bank Group. Read the OSERA announcement.
Coverage of the intent to form OSERA and the financial-services pilot behind it.
Keep remediation open, verifiable, portable, and consumable at scale. Propose a project, offer to maintain, or add your institution to the effort.