FINOS Announces Intent to Form OSERA, a Global Financial Services-Led Alliance for Open Source Supply-Chain Resiliency in the Era of AI

Spearheaded by Moderne and Piloted by FINOS Institutional Members, the Open Source Enterprise Resiliency Alliance Mutualizes Open Source 'Backpatching', Promotes Vendor-Neutral Industry-Wide Remediation Standards and Accelerates Evidence-Based, Compliant Open Source Consumption at Scale

NEW YORK CITY, NY / ACCESS Newswire / June 26, 2026 / At the Open Source in Finance Forum, FINOS, the financial services arm of the Linux Foundation, announced its intent to form an Open Source Enterprise Resiliency Alliance (OSERA), a global, vendor-neutral, member-governed coalition to strengthen the industry's supply chain resiliency. OSERA will strengthen the open source components that underpin the sector by securing them through a vendor-neutral, upstream-aware approach and accelerating their compliant consumption at scale.

The announcement follows a successful Member-only end-to-end pilot phase by Deutsche Bank, Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), and TD Bank Group, in which critical Java project versions were hardened by Moderne and released to a Sonatype Nexus repository, neutrally hosted by FINOS.

Incubated in financial services where the regulatory bar is highest, OSERA seeks to serve any enterprise, building on the strong guiding principles of openness and collective responsibility set out by its founding members.

As part of the Linux Foundation's response to the new wave of AI-Enabled open source supply chain security threats, OSERA complements the recently announced Akrites, the cross-industry effort enabling coordinated disclosure and upstreaming. As a financial services downstream complement to Akrites, OSERA will collaborate with Akrites in the upstreaming process and, together with the Open Source Security Foundation, represent the voice of the industry in defining remediation standards.

The vision for OSERA

Financial institutions depend on strikingly common open source dependencies and versions, so a flaw in one is a risk to all. Rather than each firm spending resources to address the same vulnerability in the same package alone, the alliance will mutualize that work in a neutral venue while providing tools to accelerate consumption at the speed of AI.

Key benefits include:

• Operational resilience. Known vulnerabilities in the exact versions firms still run are fixed once and consumed by all, faster than any firm could alone.

• Lower, shared cost. A recurring single-firm "hardening tax" is replaced with one openly governed program, funded through a pooled model: pay for what you depend on.

• Regulatory readiness. A shared, auditable way to meet DORA, NIS2, and the EU Cyber Resilience Act, whose duties begin in 2026.

• No new lock-in. Remediation stays open, verifiable, and portable - a neutral, sovereign alternative to depending on any single vendor.

"AI has collapsed the time to discover serious vulnerabilities from weeks of expert effort to minutes of automated scanning, and the sector should expect a flood of new CVEs across both current and older versions institutions still run," said Gabriele Columbro, executive director, FINOS. "We started exploring mutualized backpatching and adopting common supply chain standards in late 2025; now AI has made this approach urgent at scale."

What the pilot stage has already proven

During the pilot effort, FINOS members have successfully tested a working end-to-end pipeline.

Results include:

• Four critical Java frameworks backpatched. Widely used high-risk versions were patched and initially released in a member-only repository. When upstreaming is not a viable option, forks are maintained as a public fork governed by the Alliance.

• End-to-end flow, validated by three member banks. Releases consumed through firms' corporate proxy, validated end-to-end, with no change to CI tooling.

• Shared prioritization and industry standard-setting. A shared "Risk Navigator" is available for firms to collectively prioritize backpatches, with agreed artifact-naming conventions and VEX assertions.

• A predictable "platform" model. Backpatches are meant to be time-bound (12/24 months) and maintained by vendors with strong upstream credentials under SLAs contracted by the alliance.

Two sides of the same coin: standardized remediation and regulated consumption at scale

Following the recent rise of AI-aided cyber threats, a wave of open source remediation efforts is forming across the public and private sectors, including vendor coalitions, commercial vulnerabilities clearinghouses and open source LTS vendors. Each is valuable, but independently they risk creating fragmentation, new lock-ins and systemic concentration risks.

OSERA seeks to keep the remediation of shared, non-differentiating infrastructure in an open, standards-based, vendor-neutral layer, so a fix is verifiable and consumable by whoever produced it - vendors are partners, not gatekeepers.

And while most of the industry's attention has so far been on producing fixes, for regulated firms, evidence-based consumption at scale in complex and regulated operating environments is equally critical to effectively manage supply chain risk.

"At the scale large financial institutions operate, producing fixes is only half the challenge - consuming them reliably across a complex, regulated estate is just as important," said Dov Katz, Managing Director & Distinguished Engineer, Morgan Stanley. "OSERA helps align the ecosystem around practical, implementation-led standards for how open source fixes are produced, validated, and consumed, so critical dependencies can be secured once and adopted broadly in a verifiable way."

"Ingesting, testing, deploying and proving remediation across a vast regulated software estate is as important as producing the fixes themselves," continued Columbro. "OSERA aims to standardize a machine-readable consumption evidence pack mapped to DORA, NIS2 and the EU Cyber Resilience Act, as well as AI-powered tools to upgrade at scale, so 'patched, tested, deployed' is provable without a manual fire drill."

Join OSERA

OSERA is built for the global financial sector and is inviting new enterprise participants and maintainers. To join the FINOS member-only formation stage ahead of launch, contact the team at https://osera.finos.org/#involved or, if you already are a FINOS member, reach out to membersuccess@finos.org.

If you are an individual or a vendor and would like to be considered as a maintainer, propose the project / ecosystem and share your credentials at https://osera.finos.org/#involved.

Supporting quotes

"FINOS gives us a neutral place to collaborate on open-source security, in step with the Linux Foundation and upstream maintainers. Proving the model first, with room to scale globally, is the right way to build something the whole sector can rely on." - Peter Thomas, Managing Director & Distinguished Engineer, Deutsche Bank

"AI has compressed vulnerability discovery from weeks to minutes, but fixing the old libraries enterprises depend on hasn't moved. Moderne's deterministic infrastructure makes industrial-scale backpatching possible. Bringing that capability to FINOS lets the financial industry secure these shared dependencies once, for everyone." - Jonathan Schneider, CEO and Co-Founder, Moderne

"Frontier LLMs have compressed the time between a vulnerability being discoverable and being exploitable, making it difficult for any institution to keep pace on its own. Coordinating through a neutral, finance-governed alliance is a highly credible way for our industry to respond at the speed this moment demands." - Bhupesh Vora, Europe Head of Capital Markets Quantitative & Technology Services, Royal Bank of Canada (RBC)

"Open source supply-chain resilience is a shared responsibility across the whole sector, not just the largest firms. A global, neutral home lets institutions of every size benefit from the same coordinated, evidence-bearing remediation." - Mark Paulsen, Head, Open Source Program Office, TD Bank Group

"The OpenSSF community welcomes OSERA and we look forward to further collaborating on financial services grade remediation standards. Only through those, in step with Akrites, can we ensure upstream-first remediation that strengthens the commons and the emergence of tools and methodologies to upgrade at scale." - Steve Fernandez, General Manager, OpenSSF

"Finding vulnerabilities is getting easier. Proving that they have been fixed across a regulated software estate is not. Financial institutions often depend on the same open source components and the same older versions, which means every firm solving the same problem alone is wasted motion. OSERA gives the industry a neutral way to harden shared dependencies once, consume them safely, and carry the evidence forward." - Brian Fox, Co-founder and CTO of Sonatype, Steward of Maven Central

"The open source that underpins finance is shared by the entire world, and securing it is a collective responsibility. After the launch of Akrites, I am excited to see a critical industry like financial services continuing to rise to the challenge in the open with OSERA: This is exactly the kind of collaboration this moment calls for." - Jim Zemlin, CEO, The Linux Foundation

About FINOS

FINOS (The Fintech Open Source Foundation) unites the financial services industry to build open technologies and standards that enhance profitability, improve resilience, and accelerate innovation. FINOS is the trusted community designed by regulated industry participants to solve industry-wide challenges and drive operational excellence and financial technology innovation. As part of the Linux Foundation, FINOS provides a neutral, well-governed home for open source collaboration across the industry. With a global community of more than 100 member organizations, including major financial institutions, fintechs, and technology firms, FINOS advances open standards and production-grade open source for finance. This work embeds these technologies and standards into the core workflows, platforms, and policies of financial institutions, making them essential to how the industry builds, operates, and evolves. FINOS advocates for a clear focus on measurable ROI from open source adoption.

Learn more at www.finos.org.

Media Contact (FINOS):
Tosha Ellison
Research and Communications, FINOS
tosha.ellison@finos.org
+1 (415) 215 3563

SOURCE: FINOS / The Linux Foundation