Michael Lieberman, CTO and Co-Founder of Kusari, breaks down the European Union’s Cyber Resilience Act (CRA) and explains its impact on open source maintainers, stewards, and manufacturers. In this insightful interview, discover:
Why open source maintainers are "off the hook" for CRA compliance
How commercial product manufacturers bear primary responsibility
What practical tools like OpenSSF Security Baseline can help with compliance
Which types of digital products fall under CRA jurisdiction (and which don’t)
How the CRA might positively reshape security practices in open source
Lieberman clarifies: "The obligation will be on ACME Corp to do the right things—adding patches themselves if necessary, and working with me." He highlights how organizations like the Linux Foundation serve as "open source stewards" to help foster community-driven security solutions.
Want to improve your project’s security posture? Lieberman recommends tools like OpenSSF Scorecard that "can help apply baseline rules and enforce that for all projects."
This conversation is essential viewing for open source contributors, security professionals, and technology leaders navigating the evolving regulatory landscape.
Timestamps
00:00 – Introduction to CRA
01:25 – Definition and purpose of CRA
02:46 – Open source maintainer obligations
09:51 – Security tools for compliance
13:49 – Clarifying responsibilities
19:57 – Global regulatory landscape
24:25 – Positive impacts on security collaboration
#CyberResilience #OpenSourceSecurity #CRA #EuropeanRegulation #CyberSecurity #OpenSource #SecurityCompliance #LinuxFoundation #OpenSSF #SoftwareSecurity #TechRegulation #CyberLaw
