Merge pull request #218 from reshamas/rs-gh-oss

initial blog for GitHub Secure Open Source Fund

Author: reshamas

Gemfile

@@ -11,7 +11,10 @@ gem "jekyll-archives"
 gem "jekyll-target-blank"
 gem "jekyll-paginate"
 gem "jekyll-twitter-plugin"
-
+gem 'bundler', '~> 2.0'
+gem "csv"
+gem "logger"
+gem "bigdecimal"
 
 # If you want to use GitHub Pages, remove the "gem "jekyll"" above and
 # uncomment the line below. To upgrade, run `bundle update github-pages`.
@@ -33,5 +36,5 @@ platforms :mingw, :x64_mingw, :mswin, :jruby do
 end
 
 # Performance-booster for watching directories on Windows
-gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
+gem "wdm", "~> 0.1.1", :platforms => [:windows]
 

Gemfile.lock

@@ -23,13 +23,15 @@ GEM
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     base64 (0.2.0)
+    bigdecimal (3.2.2)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
     colorator (1.1.0)
     commonmarker (0.23.11)
     concurrent-ruby (1.3.5)
+    csv (3.3.5)
     dnsruby (1.72.3)
       base64 (~> 0.2.0)
       simpleidn (~> 0.2.1)
@@ -227,6 +229,7 @@ GEM
     listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    logger (1.7.0)
     mercenary (0.3.6)
     mini_portile2 (2.8.8)
     minima (2.5.1)
@@ -275,6 +278,9 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  bigdecimal
+  bundler (~> 2.0)
+  csv
   github-pages
   jekyll-archives
   jekyll-feed (~> 0.12)
@@ -284,11 +290,12 @@ DEPENDENCIES
   jekyll-sitemap
   jekyll-target-blank
   jekyll-twitter-plugin
+  logger
   minimal-mistakes-jekyll!
   tzinfo (~> 1.2)
   tzinfo-data
   wdm (~> 0.1.1)
   webrick (~> 1.7)
 
 BUNDLED WITH
-   1.17.2
+   2.7.1

_posts/2025-08-16-gh-oss.md

@@ -0,0 +1,155 @@
+---
+title: "scikit-learn Completes the GitHub Secure Open Source Training"
+date: August 16, 2025
+categories:
+  - Press
+tags:
+  - Open Source
+featured-image: /assets/images/posts_images/gh-sosf/cover.png
+
+postauthors:
+  - name: Reshama Shaikh
+    website: https://reshamas.github.io
+    image: reshama_shaikh.jpeg 
+---
+
+<div>
+  <img src="{{ page.featured-image }}" alt="">
+  {% include postauthor.html %}
+</div>
+
+## Summary
+
+scikit-learn was honored to be selected to participate in Cohort 2 of the GitHub Secure Open Source Fund (OSF) Training Program. Cohort 1 took place earlier in 2025 with 19 projects, and Cohort 2 took place with 52 projects during June 2025. 
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/blog-title.png" alt="GitHub announcement of GH-S-OS Fund" style="padding:1px;border:solid black" style="border-width: thick" max-width="50%" max-height="50%" /> 
+ <figcaption>
+ Original post: <a href="https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects">GH Secure OSS Announcement</a>
+ </figcaption>
+</figure>
+
+
+It was an intense 3-week intense training program, with over 90 open source maintainers joining the training. Read the announcement from GitHub: [Securing the supply chain at scale: Starting with 71 important open source projects](https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects) 
+
+There were numerous workshops delivered by experts in the GitHub Security Lab. For many of these workshops, the learning materials are publicly available, and they are shared below.
+
+### GitHub Security Lab
+GitHub has its own security department, and GitHub Security Lab’s mission is to empower developers and secure open source.
+* GitHub Security Lab: [Resources](https://securitylab.github.com/resources-os)
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/gh-security-lab.png" alt="GitHub Security Lab"  
+ style="padding:1px;border:solid black" max-width="50%" max-height="50%" />  
+ <figcaption>
+ Original post: <a href="https://github.com/GitHubSecurityLab">GitHub Security Lab</a>
+ </figcaption>
+</figure>
+
+
+## Resources for Security Training
+The training provided many trainings by experts in the field. Below we share trainings that are available to the public.
+
+- [Configuring private vulnerability reporting for a repository](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)
+>Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
+- [OpenSSF Scorecard](https://securityscorecards.dev)
+- [Secure by design: A UX toolkit](https://microsoft.design/articles/secure-by-design-a-ux-toolkit)
+
+#### CodeQL: From Zero to Hero
+
+This workshop introduces fundamentals of security research and static analysis used when looking for vulnerabilities in software. They use an example of a simple vulnerability, walk through how CodeQL could detect it, and provide examples on how the audience could use CodeQL to find vulnerabilities themselves.
+
+slides: [Finding Vulnerabilities with CodeQL](https://github.com/sylwia-budzynska/2025-soss-codeql-workshop/blob/main/SOSS-CodeQL-slides.pdf)
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/CodeQL.png" alt="CodeQL audience and topics covered" 
+ style="padding:1px;border:solid black" max-width="50%" max-height="50%" /> 
+ <figcaption>
+ Original post: <a href="https://github.com/sylwia-budzynska/2025-soss-codeql-workshop">Finding Vulnerabilities with CodeQL</a>
+ </figcaption>
+</figure>
+
+#### Developing Secure Software
+
+This course includes specific tips on how to use and develop open source and other software securely. Learn the security basics to develop software that is hardened against attacks, and understand how you can reduce the damage and speed the response when a vulnerability is exploited. 
+
+It was developed by the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together leaders to improve the security of open source software by building a broader community, targeted initiatives, and best practices.
+
+* Online, Self Paced
+* 16-20 Hours of Course Material
+* Quizzes and Hands-on Labs
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/dss-lfd121.png" alt="course: Developing Secure Software" 
+ style="padding:1px;border:solid black" max-width="50%" max-height="50%" /> 
+ <figcaption>
+ Original post: <a href="https://training.linuxfoundation.org/training/developing-secure-software-lfd121">LFD121: Developing Secure Software</a>
+ </figcaption>
+</figure>
+
+#### OSS-Fuzz
+[Fuzz testing](https://en.wikipedia.org/wiki/Fuzzing) is a well-known technique for uncovering programming errors in software.
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/oss-fuzz.png" alt="OSS-Fuzz" 
+ style="padding:1px;border:solid black" max-width="50%" max-height="50%" /> 
+ <figcaption>
+ Original post: <a href="https://github.com/google/oss-fuzz">OSS-Fuzz</a>
+ </figcaption>
+</figure>
+
+
+### Secure Code Game
+Secure Code Game is a GitHub Security Lab initiative, providing an in-repo learning experience, where learners to secure intentionally vulnerable code. At the same time, this is an open source project that welcomes your contributions as a way to give back to the community.
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/secure-code-game.png" alt="Secure Code Game" 
+ style="padding:1px;border:solid black" max-width="50%" max-height="50%" /> 
+ <figcaption>
+ Original post: <a href="https://github.com/skills/secure-code-game">Secure Code Game</a>
+ </figcaption>
+</figure>
+
+### Participate in Future Cohorts of the GitHub Secure Open Source Training
+If you are a maintainer of an open source project, this training is an excellent opportunity to secure your project with guidance from highly trained experts in the security field. [Applications are open](https://docs.google.com/forms/d/e/1FAIpQLScDBalom0XhmJrvyI3kwD7dZ-dD4_uhmLNysVXtA8fH_WUKoA/viewform). 
+
+### References
+- [Securing the supply chain at scale: Starting with 71 important open source projects](https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects) (11-Aug-2025)
+- TechCrunch: [GitHub launches $1.25M open source fund with a focus on security](https://techcrunch.com/2024/11/19/github-launches-1-25m-open-source-fund-with-a-focus-on-security) (19-Nov-2024)
+- [GitHub Secure Open Source Fund](https://resources.github.com/github-secure-open-source-fund/)
+- [Eclipse Foundation Security Policy](https://www.eclipse.org/security/policy)
+- [Linux Foundation Security Policy](https://www.linuxfoundation.org/security)
+
+### Blogs from Participating Open Source Projects
+- OpenCV: [OpenCV’s Participation in the GitHub Secure Open Source Fund](https://opencv.org/blog/opencvs-participation-in-the-github-secure-open-source-fund)
+- Bootstrap: [Bootstrap at GitHub Secure Open Source Fund](https://www.linkedin.com/pulse/bootstrap-github-secure-open-source-fund-julien-d%2525C3%2525A9ramond-cvjie)
+- Cobra & Viper: [Cobra & Viper Fortify Security as Part of GitHub Secure Open Source Fund](https://spf13.com/p/cobra-viper-fortify-security-as-part-of-github-secure-open-source-fund)
+- Zitadel: [A Leap Forward in Security: Our Journey with the GitHub Secure Open Source Fund](https://zitadel.com/blog/github-secure-open-source-fund)
+
+
+
+## Acknowledgments
+
+Thank you to the funders and ecosystem partners of the GitHub Secure Open Source Fund.
+
+**Funding Partners:** Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/funders2.png" alt="Sponsors" style="padding:1px;border:solid black" 
+ max-width="50%" max-height="50%" /> 
+ <figcaption>
+ <a href="https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects"></a>
+ </figcaption>
+</figure>
+
+
+**Ecosystem Partners:** Ecosyste.ms, CURIOSS, Digital Data Design Institute Lab for Innovation Science, Digital Infrastructure Insights Fund, Microsoft for Startups, Mozilla, OpenForum Europe, Open Source Collective, OpenUK, Open Technology Fund, OpenSSF, Open Source Initiative, OpenJS Foundation, University of California, Santa Cruz OSPO, Sovereign Tech Agency, SustainOSS
+
+<figure>
+ <img src="/assets/images/posts_images/gh-sosf/ecosystem.png" alt="Ecosystem Partners" style="padding:1px;border:solid black" 
+ max-width="50%" max-height="50%" /> 
+ <figcaption>
+ <a href="https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects"></a>
+ </figcaption>
+</figure>
+