The implementation of the EU Cyber Resilience Act is currently shaped by two flawed assumptions: that most open source projects have a steward, and that stewards are synonymous with foundations. Data from the JavaScript and Rust ecosystems shows the opposite—hundreds of thousands of widely used packages exist outside any stewardship structure, while foundations oversee only a tiny fraction. The CRA anticipated this reality and introduced a separate mechanism to help manufacturers meet due-diligence requirements: a security attestation program intended to function as an open-source analogue to CE marking. Done well, attestations can dramatically simplify compliance while improving security and sustainability across the ecosystem.

Current proposals, however, lean toward lightweight models that offer limited value to manufacturers and little support for the maintainers who produce the software those manufacturers rely on. This talk proposes a more effective middle path: an attestation approach that leverages maintainer expertise, delivers clear and actionable assurances to manufacturers, and creates sustainable revenue channels for projects.

Using the OpenJS Foundation’s Ecosystem Sustainability Program (ESP) as a concrete example, we will illustrate how project-approved commercial support, revenue sharing, and clear integration points can produce benefits for both manufacturers and maintainers. ESP demonstrates how a structured program can help fund essential security and maintenance work without requiring projects to become foundation-stewarded. By connecting these lessons to the CRA’s attestation framework, the session outlines what a truly useful attestation system could deliver: practical compliance for manufacturers, meaningful support for maintainers, and a healthier, more resilient open source ecosystem.