Cybersecurity is a central topic for governments around the world. The European Union’s Cyber Resilience Act (CRA) introduced rules on how software should be developed, tested, audited and supported to ensure more secure software. Because open source software underpins today’s global digital infrastructure, this has a profound impact on many actors in the open source software ecosystem. The Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices. The working group is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem, and to demonstrate our commitment to cooperation with and implementation of the CRA. The group’s initial effort will be to enumerate existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. For years, the foundations and communities have created and maintained industry best practices for secure software development processes. With these best practices as our starting point, we aim to accelerate the development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with the open source community at-large. Neutrality of foundations, vendors, communities, etc. is central to this effort. The new working group will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.