The Fintech Open Source Foundation announced at the Open Source in Finance Forum in New York that it intends to form the Open Source Enterprise Resiliency Alliance (OSERA), a vendor-neutral coalition through which financial institutions will collectively patch open source vulnerabilities rather than each firm addressing the same flaws independently.
The pilot that preceded the announcement saw member banks test an end-to-end workflow: Moderne's automated backpatching tooling hardened four critical Java frameworks, and the resulting artifacts were released into a Sonatype Nexus repository hosted on FINOS-neutral infrastructure. Banks consumed the patches through their existing corporate proxies with no changes to CI tooling required.
The urgency behind the formation comes partly from how AI has shifted the economics of vulnerability research. Gabriele Columbro, executive director of FINOS, said the organisation began exploring mutualized backpatching in late 2025 and that AI has since compressed discovery timelines dramatically: "AI has collapsed the time to discover serious vulnerabilities from weeks of expert effort to minutes of automated scanning, and the sector should expect a flood of new CVEs across both current and older versions institutions still run."
For regulated institutions, the compliance burden compounds the technical one. OSERA's design targets readiness for DORA, NIS2, and the EU Cyber Resilience Act, packaging remediation evidence in machine-readable form to support audit requirements. Morgan Stanley Distinguished Engineer Dov Katz described the consumption side of the problem as equal in complexity to the patching itself: "At the scale large financial institutions operate, producing fixes is only half the challenge — consuming them reliably across a complex, regulated estate is just as important."
The alliance is positioned as a downstream complement to Akrites, the Linux Foundation's cross-industry coordinated disclosure effort launched recently. OSERA will collaborate with Akrites on upstreaming fixes and with the Open Source Security Foundation on remediation standards.
OSERA is currently inviting new member institutions and open source maintainers through osera.finos.org. Existing FINOS members can join the formation stage ahead of the full launch.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
