Scaling Security from Zero - How a Small OSS Ecosystem Jumped Into the Deep End

Learn how a small open source community transformed from having zero security expertise to building comprehensive regulatory compliance and security capabilities in this 14-minute conference talk. Discover the personal journey of starting with overwhelming regulatory documentation and evolving into structured action through the Ægis initiative within the Erlang Ecosystem Foundation. Explore practical strategies for aligning small communities through incremental decision-making, patient engagement, and focused resource allocation when working with limited capacity. Examine key milestones including securing external sponsorship, achieving OpenChain conformance, formalizing vulnerability handling as a Certificate Numbering Authority (CNA), and developing Source SBOM tooling integrated with the OSS Review Toolkit. Understand how the EU Cyber Resilience Act served as a catalyst for broader ecosystem transformation spanning SBOM generation, vulnerability lifecycle management, and dedicated security engineering capacity building. Gain insights into navigating compliance requirements with minimal staffing while demonstrating that meaningful progress toward long-term ecosystem resilience is achievable even when starting from zero expertise.