Every year, FOSDEM brings together the people who build, maintain, and depend on open source software. It is a place where hard technical problems meet real-world constraints, and where community conversations shape what comes next.
At FOSDEM 2026 (31 January–1 February, Brussels), Alpha-Omega will be part of that conversation through two sessions led by Michael Winser, co-founder of Alpha-Omega and longtime open source security leader.
Michael’s talks focus on two issues at the heart of today’s software supply chain: the sustainability of security infrastructure and how security data can be used practically instead of adding more noise.
Saturday: The terrible economics of package registries and how to fix them
🗓 Saturday | 13:30–13:55
📍 K.3.201 | Package Management Devroom
The terrible economics of package registries and how to fix them
Package registries are critical infrastructure for modern software development. As they grow, they also become high-value targets and systemic points of failure. Yet most registries continue to operate on fragile funding models built on grants, donations, and goodwill, even as operational and security demands increase.
In this session, Michael will explore:
- Why package registries face mounting security risk as they scale
- The economic realities behind registry operations today
- How Alpha-Omega is working with ecosystem partners to fund security improvements and explore sustainable, community-aligned revenue models
- The tradeoffs involved when security, sustainability, and open access collide
This talk reflects Alpha-Omega’s core mission: funding and enabling systemic improvements to the open source security ecosystem, not just one-off fixes. Learn more.
Sunday: Beyond SBOM: Integrating VEX into Open Source Workflows
🗓 Sunday | 10:30–11:00
📍 UD2.208 (Decroly) | SBOMs and Supply Chains Devroom
Beyond SBOM: Integrating VEX into Open Source Workflows
As SBOM adoption accelerates, many teams are discovering that inventory alone does not answer the question that matters most when a CVE appears: does this vulnerability actually affect my application? In practice, most reported issues never do, yet organizations still spend significant time reacting to alerts, upgrades, and investigations.
This session looks beyond SBOMs toward practical vulnerability prioritization, showing how VEX and reachability analysis can reduce noise and focus effort where it truly matters. Using a real-world case study from Apache Hadoop and Solr, the speakers demonstrate how tracing vulnerable code through call graphs helps determine whether an issue is exploitable downstream.
The talk brings together complementary perspectives across the ecosystem. Munawar Hafiz, Founder and Head of Innovations at OpenRefactory, draws on his work in automated bug fixing and improving the precision of static analysis to move from detection toward remediation. Piotr P. Karwasz, a longtime open source contributor and full-time Apache Logging Services maintainer since Log4Shell, grounds the discussion in maintainer reality and the downstream impact of vulnerability disclosures. Michael Winser, co-founder of Alpha-Omega, connects these technical approaches to broader supply chain security needs and ecosystem-scale adoption.
Together, the session highlights how better vulnerability context not only improves security outcomes, but also reduces unnecessary work for maintainers and downstream users alike, a core focus of Alpha-Omega’s work across the open source ecosystem. Learn more.
Join the Conversation
If you will be at FOSDEM 2026, we would love to connect.
👉 Join the OpenSSF #alpha_omega Slack to continue the discussion, ask questions, and coordinate meetups
👉 Let us know if you will be in Brussels using the tag #fosdem2026
👉 Stop by the sessions, join the hallway conversations, and help shape the future of open source security
