The Open Source Security Foundation (OpenSSF) is a few months old now, but the question is why it isn’t years old. After years of attackers exploiting bugs in OpenSSL, Apache Struts, and countless other projects, along with our laziness in patching them, it seems that long ago we would have combined to protect the open source supply chain upon which every organization depends. But we haven’t. It wasn’t until 2020 that we decided as an industry to stop piecemealing our approach to security.