COSCUP 2026 開源人年會

企業開源治理的守門人:從 OpenSSF Scorecard 到 S2C2F 的實踐之路
2026年8月8日 , TR209

隨著開源軟體成為現代企業開發的基石,軟體供應鏈安全已不再是選擇題。實際上,企業在推動開源治理時,往往面臨「標準模糊」與「開發者反彈」兩大挑戰。

本場演講將分享在企業內部推動開源治理借鏡國際社群 OpenSSF 經驗。我們將從 OpenSSF Scorecard 的自動化評分機制出發,探討如何量化開源專案的安全風險;接著引入 S2C2F (Secure Supply Chain Consumption Framework) 與 OSPO Baseline,建構一套完整的企業開源治理框架。


難易度: 中階

我是一位對開源充滿熱忱的 TPM。目前我在國泰金控與夥伴一同推動 OSPO,在 OSRB 治理與 DevRel 社群經營之間建立橋樑。

目前正致力於開拓一條專屬於 PM 的開源之路,近期深耕研究 OpenSSF Scorecard, OSPS Baseline ,S2C2F 的相關國際專案。除了參與 2026 OSPOlogy Asia 委員會與 TODO Group,我也熱衷於將大型企業的實務帶回社群。

說到底,我熱愛我所做的事,也相信開源帶來更好的世界。此外,我也是個網球愛好者🎾

I’m a Technical Project Manager with a deep passion for open-source. At Cathay Financial Holdings, I work alongside squad to drive OSPO initiatives, bridging the gap between OSRB governance and DevRel community engagement.

I am currently on a mission to carve out a unique path for PMs in the open-source ecosystem. My recent focus has been on the practical implementation of international projects such as the OpenSSF Scorecard, OSPS Baseline, and S2C2F. Beyond my daily work, I serve on the OSPOlogy Asia 2026 Program Committee and contribute to the TODO Group, where I advocate for bringing real-world enterprise practices back to the community.

In the end, I love what I do and firmly believe that open collaboration builds a better world. Also, I’m a huge tennis lover! 🎾