What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.

In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path for open source project maintainers, stewards, or third parties to reduce manufacturer's cybersecurity compliance obligations in exchange for sustained funding. The exchange benefits companies by reducing their compliance costs, but without turning the open source foundation into a manufacturer itself, without assuming liability, and without jeopardizing a steward's non-profit status.

In this presentation, Æva Black will introduce their ongoing work with the Eclipse Foundation to develop an understanding of how such a programme might function and how it might impact different segments of our community-of-communities.

This presentation is part one of a two-part series. Part two will feature a panel discussion with representatives of open source foundations and the European Commission.