S3C2 Summit 2025-09: Industry Secure Supply Chain Summit
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-29 07:11 UTCgrok-4.3pith:WMK4LUFIrecord.jsonopen to challenge →
The pith
A 2025 summit of practitioners from eight organizations identified pressing software supply chain security challenges through structured discussions on six topics.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The summit produced a set of practitioner-derived insights into software supply chain risks by using curated questions to guide cross-domain conversation, thereby distinguishing persistent challenges from newly salient ones and supplying concrete directions for subsequent work.
What carries the argument
Curated discussion questions on six fixed topics that structured the sharing of experiences and pain points among participants from different domains.
If this is right
- Research efforts should allocate attention to the specific pain points recorded for vulnerable dependencies and build infrastructure.
- New collaborations seeded at the summit can test mitigations for malicious commits and container risks.
- Insights on culture and LLM integration can be turned into organizational practices that reduce supply-chain exposure.
- Tracking which challenges persist across successive summits provides a longitudinal view of how threats evolve.
Where Pith is reading between the lines
- Repeating the same format with rotated participants could test whether the same challenges recur or whether new ones appear with different industry slices.
- The distinction between continuing and novel topics offers a simple way to prioritize which issues merit immediate tooling versus longer-term study.
- If organizations adopt the reported takeaways, measurable reductions in incident rates could be tracked through public vulnerability databases.
Load-bearing premise
The ten participants drawn from eight organizations accurately reflect the most important challenges facing the broader industry.
What would settle it
A follow-up survey or additional summit involving substantially more organizations that surfaces a markedly different set of top-ranked challenges would show the current takeaways are not representative.
read the original abstract
Today's digital ecosystem relies heavily on software supply chains, which enable developers to reuse code and ship software at scale. However, a single vulnerable component can jeopardize the entire supply chain. In recent years, cyberattacks in software supply chains have become increasingly common. These attacks can disrupt critical systems and put organizations, including major software companies, government agencies, and open-source contributors, at risk. This growing threat has led to increased attention from both the software industry and the U.S. government toward strengthening software supply chain security. On September 15, 2025, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) convened a Secure Software Supply Chain Summit, bringing together 10 practitioners from 8 organizations across diverse domains. The goals of the Summit were threefold: (1) to facilitate cross-industry sharing of practical experiences and challenges in securing software supply chains; (2) to foster new collaborations among participants; and (3) to identify pressing challenges to guide future research directions. The Summit featured discussions on six central topics: vulnerable dependencies, component and container choice, malicious commits, build infrastructure, culture, and the role of LLMs in the supply chain. For each topic, participants engaged with a curated set of discussion questions designed to gather insights and pain points. This report summarizes the key takeaways from these discussions. Each section highlights which topics continued from previous summits and which ideas emerged for the first time in this summit; the full list of initial discussion prompts is provided in the appendix.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript is a report on the S3C2 Summit held on September 15, 2025, which convened 10 practitioners from 8 organizations to discuss software supply chain security. It summarizes practitioner insights on six topics (vulnerable dependencies, component and container choice, malicious commits, build infrastructure, culture, and the role of LLMs), notes continuations from prior summits and new ideas, and provides the initial discussion prompts in an appendix. The stated goals are cross-industry sharing, fostering collaborations, and identifying challenges to guide research.
Significance. If the reported takeaways faithfully capture the discussions, the report supplies timely practitioner perspectives on a high-priority area of cybersecurity. It explicitly documents limited scope (10 participants, 8 organizations) and distinguishes continued versus novel ideas, which aids researchers in prioritizing topics. No machine-checked proofs or quantitative derivations are present, but the descriptive format with appended prompts supports reproducibility of the event structure.
minor comments (2)
- The abstract states that each section 'highlights which topics continued from previous summits,' but the manuscript should explicitly cross-reference prior S3C2 summit reports (if published) to allow readers to verify continuity claims.
- The appendix lists initial discussion prompts; ensure all six topics have their full prompt sets included with consistent formatting.
Simulated Author's Rebuttal
We thank the referee for their thorough review and positive recommendation to accept the manuscript. The report's value in documenting practitioner insights from the S3C2 Summit is well-aligned with our goals of sharing cross-industry experiences and guiding research.
Circularity Check
No significant circularity identified
full rationale
This document is a descriptive report of a one-day industry summit. It contains no equations, derivations, fitted parameters, predictions, or first-principles claims. All content consists of factual summaries of participant discussions on six topics, with explicit statements that the scope is limited to the ten attendees from eight organizations. Mentions of prior summits are contextual only and do not serve as load-bearing justification for any result. No self-citation, self-definition, or renaming patterns apply.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
- [1]
- [2]
- [3]
-
[4]
Imranur Rahman, Yasemin Acar, Michel Cukier, William Enck, Christian Kastner, Alexandros Kapravelos, Dominik Wermke, and Laurie Williams
-
[5]
S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit. arXiv:2505.10538 [cs.CR] https://arxiv.org/abs/2505.10538
- [6]
- [7]
-
[8]
Nusrat Zahan, Yasemin Acar, Michel Cukier, William Enck, Christian Kästner, Alexandros Kapravelos, Dominik Wermke, and Laurie Williams. 2024. S3C2 Summit 2023-11: Industry Secure Supply Chain Summit. arXiv:2408.16529 [cs.CR] https://arxiv.org/abs/2408.16529 A Initial Discussion Questions (1) Vulnerable Dependencies.What processes and/or tools do you use t...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.