S-Express - A Security Tiger Team for all FOSS maintainers

3 minute read

A voluntary peer review system, but for pull requests. Powered by (paid) experts, open to all FOSS maintainers. S-Express is fully open and transparent.

Is the TL;DR. Let me explain.1

Instead of throwing money around, having meta discussions on how to run FOSS better, keep it simple. A group of people, including some real experts for the truly weird cases. Let’s call it the S-Express (Security Express, and yes, when you remember the song, all the better :).

When you as maintainer of a FOSS project receive a pull request that looks dodgy, you can forward it to S-Express, who will take a look and report back with a first assessment in 24 hours This should be run as a service that is for free for every open source project out there.

The S-Express collective should collect, aggregate and deliver regular reports to the interested public on what trends they see and where more vigilance is needed. S-Express can and should have subgroups focusing on specific languages but also on emerging attack vectors. But they only give advice. The maintainer stays in control.

If you know a bit or a lot about possible attack vectors, you can join S-Express in many ways. As a volunteer, freelancer, full time, part time. This should be more of a network and not a foundation or something. Companies could allow their own security teams to participate for, say, up to 20% of their working time (1 day per week).

Why? Because It’s learning and sharing effectively for free and a way to give back to FOSS that is quite natural. It also educates their people on how to be a good community citizen.

Everything S-Express does MUST be made completely open, at max with a grace period to make sure patches are available before sharing truly dangerous stuff. This also helps to avoid insider risks inside the S-Express collective. Bad actors hate the public spotlight.

I am sharing this very unpolished first idea in the hope that it attracts people that can add positive criticism and ultimately with the hope that it might get implemented. I just needed to share it before I sabotage it myself with my own criticism :)

And the song would make for a wonderful stage intro/security podcast. That’s the real reason I share this. To remind you of the song ;)

This project would have the coolest swag, that’s for sure :) Just imagine the stickers, pins, t-shirts, tote bags!

But more serious. S-Express would create self-sustaining feedback loops. Input generates output that leads to more input. It would also create datasets that can be used to gain insights into what maintainers perceive as dodgy/questionable and what experts think. Which in turn results into better risk calculations for all. Even just for those that just read the regular reports.

I hope you get the idea that I’m trying to put from my brain into words. And I really hope that it can become a reality. I will be more than happy to present it on stage and dance to that ole song that defined me :) I guess I need to find a way to declare my next idea in a way that KLF is the fitting acronym ;)

  1. This is the edited version of a Mastodon thread I started at 


You can use your Mastodon or other ActivityPub account to comment on this article by replying to the associated post.