2026-03-16 –, Wintergarten
With this discussion following the Chatham House Rule format, we wish to invite FOSS Backstage attendees to come together to explore how communities could issue risk-based attestations sufficient to reduce downstream compliance burdens in ways that support (rather than burden) open source communities.
The Cyber Resilience Act creates a transformative opportunity to strengthen both cybersecurity and the sustainability of open source through Article 25's voluntary security attestation framework.
We will examine practical implementation questions:
- How do we balance proportional requirements with project maturity?
- What governance models work for stewardship, as defined by the CRA?
- How can attestations create sustainable funding flows to upstream communities without capture by commercial interests?
Your perspective will help determine whether this framework becomes a tool for sustainability or part of a regulatory barrier to open collaboration.
This session is an interactive session taking place under Chatham House Rules and therefore not recorded.
Æva Black is an international thought leader on open source software security, with over 25 years of experience building digital infrastructure, leading open source projects, and advising on cybersecurity policy.
— “Technical Luminary” — Wired
After leading OSS Security Programs first in the Azure Office of the CTO and then at the U.S. Cybersecurity & Infrastructure Agency, Æva founded Null Point Studio, a boutique cybersecurity consulting firm in the Netherlands, to continue supporting the sustainability and security of free and open source software.
— “child prodigy turned creative genius” — CISA
A veteran of the first dot-com bubble, Æva’s signature red-and-black aesthetic has darkened conference stages around the world since 2005. When not behind a computer screen, they can be found on a motorcycle or looking for new ways to support their local queer community.
Gregor - Little Detritus - Bransky is a c-base member and german digital rights activist.
Core of his activist work is striving for public intrest tech that impowers people instead of surveiling them, for the last five years he has been trying to find buisness models for public digital infrastructures.
He will guide you through the 700 square meters c-base accessible to humans. He works on privacy preserving digital platforms and infrastructures which empower users to make data-based decisions.