FINOS has announced its intent to establish OSERA, a global, vendor-neutral open source resiliency alliance for financial services.
The initiative follows a successful pilot phase involving Deutsche Bank, Goldman Sachs, Morgan Stanley, Royal Bank of Canada (RBC), and TD Bank Group. During that phase, critical Java project versions were hardened by Moderne and released to a Sonatype Nexus repository neutrally hosted by FINOS.
The core premise behind OSERA is that financial institutions depend on broadly overlapping sets of open source components and versions, meaning a flaw in a shared dependency poses a simultaneous risk to multiple firms. Rather than each institution independently addressing the same vulnerability at its own cost, the alliance seeks to centralise that remediation in a neutral, governed environment, where fixes are produced once and made available to all members.
OSERA is designed as a downstream complement to Akrites, the Linux Foundation's recently announced cross-industry programme for coordinated disclosure and upstreaming of vulnerability fixes. Alongside the Open Source Security Foundation, OSERA intends to represent the financial sector's interests in defining industry-wide remediation standards.
Gabriele Columbro, executive director of FINOS, noted that AI-assisted scanning has reduced the time needed to identify serious vulnerabilities from weeks to minutes, creating the prospect of a significant increase in newly disclosed vulnerabilities across both current and legacy software versions. Furthermore, Columbro stated that FINOS began exploring mutualised backpatching and common supply chain standards in late 2025, and that AI-driven threats have since made this approach a priority at scale.
Regulatory alignment and pilot outcomes
According to the official press release, the alliance is being developed with structured compliance as a central objective. OSERA aims to provide a shared, auditable framework for meeting regulatory obligations under the EU's Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2), and the EU Cyber Resilience Act, whose enforcement duties are set to begin in 2026.
During the pilot, four widely used Java frameworks were backpatched and released in a member-only repository, with end-to-end consumption validated at three member banks without requiring changes to existing CI tooling. A shared prioritisation tool, the Risk Navigator, was also developed to allow member firms to collectively manage backpatch sequencing.
Dov Katz, Managing Director and Distinguished Engineer at Morgan Stanley, stated that at the scale large financial institutions operate, producing fixes represents only part of the challenge, with reliable consumption across a complex, regulated software estate being equally important. At the same time, Katz indicated that OSERA is intended to align the ecosystem around practical, implementation-led standards for how open source fixes are produced, validated, and consumed.
The alliance plans to govern backpatches on a time-bound basis, typically spanning 12 to 24 months, with vendors contracted under service level agreements.
