2026-03-16 –, Room bUm Box
Open source security is often overlooked until a crisis hits. This talk compares the impact of volunteers versus dedicated full-time security engineers in the Python and Ruby ecosystems. It highlights how consistent investment strengthens community resilience, reduces risk, and proves that security isn’t a cost but an essential strategy.
Perfect security works like a transparent umbrella — it shields you from the storm, often without you realizing there’s one. That invisibility, however, is why open source security is too often seen as a cost rather than a strategic investment.
Most organizations only start paying attention to security after a crisis — think Log4j — when it’s already too late. In the open source world, many projects depend on volunteers to respond to security incidents. Their contributions are invaluable, but what happens when projects have dedicated, full-time security engineers instead?
In this session, we’ll explore that question through the stories of Mike, Seth, and Samuel, who once volunteered their time supporting security in the Python and Ruby ecosystems. With funding from AWS and Alpha-Omega, they later became full-time security engineers employed by the Python Software Foundation and Ruby Central.
By comparing their impact as volunteers versus full-time professionals, we’ll quantify the value of dedicated security investment and measure its return on investment.
Open source is everywhere — securing it benefits everyone. Through this talk, we’ll challenge you to rethink security not as an afterthought or a cost center, but as a core strategy worth proactive investment.
Miaolai Zhou is an Open Source Program Manager at AWS, where she focuses on strengthening open source security and sustainability. She serves as an organizer of PGConf NYC, manager of the PostgreSQL NYC User Group, and Chair of the Marketing Advisory Council at the OpenSSF. Passionate about building and connecting open source communities, Miaolai works to measure the real-world impact of funding on open source security and long-term project health. Her experience bridges community engagement, strategic investment, and data-driven advocacy for a more secure and sustainable open source ecosystem.