Understanding Voluntary Security Attestations: Insights from the Survey

With the Cyber Resilience Act (CRA) introducing new expectations for digital products, the open source community is exploring how to navigate these requirements thoughtfully, while improving long term sustainability of the ecosystem. One potential path is the use of Voluntary Security Attestations (defined in art. 25 of the CRA), a way for projects to communicate their security practices clearly and consistently.

To better understand the practical opportunities, the CRA Attestations project surveyed 151 developers and commercial users, to see if attestations could actually bridge the gap between regulatory needs and the reality of open source maintenance.

Listening to the Ecosystem

The survey, conducted between late January and mid-February 2026, aimed to move past assumptions. We focused on three key areas:

• Utility: Which security documents actually help a company feel safe using a project?
• Feasibility: What can a maintainer realistically provide without burning out?
• Sustainability: Could this framework create a way for companies to better support the projects they depend on?

Key Findings

The data suggests that security attestations can be a valuable tool for building trust and ensuring the long-term health of the ecosystem.

1. High-Impact, Low-Friction Practices

The report identified a “sweet spot” of information that is relatively easy for project maintainers to provide and highly valuable for the manufacturers that rely on open source. This includes:

• Documented Vulnerability and Security Policies: Knowing exactly how a project team approaches secure software development, handles vulnerabilities, and communicates and releases fixes.
• Predictable Release Cadences: Understanding how the project signals release cycles and when major versions will reach end-of-life.
• Security Reviews: External security audits, even occasional ones, act as significant trust signals.

2. A Bridge to Financial Sustainability

One of the most encouraging findings was the link between compliance and support. 57.6% of commercial users indicated they would be more willing to provide financial support to a project if it provided attestations that reduced their own internal auditing or certification costs. This suggests that “compliance” doesn’t have to be a burden on open source maintainers; it can become a common basis for corporate investment in project development and maintenance.

3. Global Consensus

Interestingly, the survey found a high degree of alignment across different regions and company sizes. Whether in Europe or abroad, the industry respondents largely agreed on what constitutes “good” security information. This consensus is a vital signal that creating a standardised approach should be possible.

Next Steps

The results of the survey provide a humble but clear roadmap. Moving forward, the CRA Attestations project will focus on developing a better understanding of implementation guidelines for third-party due diligence and how a voluntary security attestation programme can support such requirements while respecting the diversity of the open source community.

By focusing on transparency and mutual benefit, we can ensure that the Cyber Resilience Act strengthens, rather than hinders, the open source spirit.

Resources

The report and the raw data are available as part of the resources generated by the CRA Attestations project here.