Question on finding Azure security contributors for OpenShield rules

[flyoung588]

I was reading through OpenShield and noticed the project is already split in a way that seems contributor-friendly: scanner/rules/ for individual Azure checks, framework JSON mappings for CIS/NIST/ISO/SOC2, and matching Azure CLI remediation playbooks.

The current open rule issues also look like good bounded entry points: AZ-CMP-004 for automatic OS patching, AZ-CMP-003 for endpoint protection, and AZ-DB-004 for SQL Server auditing. Those are specific enough that someone with Azure security context could probably contribute without needing to understand the whole dashboard/API/Sentinel path first.

I’m Ray, a founder working in an adjacent space. This is a genuine question, not a pitch.

For a project like OpenShield, where the hard part is likely finding people who know both Azure and security posture well enough to add useful rules, have you already tried any manual channels to recruit contributors — GitHub issues, Discord, LinkedIn, Azure/security communities — and if so, which one has been least bad?

A short reply is plenty.

[Vishnu2707]

hey @flyoung588 , appreciate you taking the time to read through the codebase properly

honest answer, this started as something i built to help my students at Ulster University (QA) get real open source
experience. the idea was simple, give them a project that actually matters rather than another todo app

it grew faster than expected. We have just been shortlisted for an official OWASP project listing.

your read on the contributor gap is accurate finding people who know Azure security posture well enough to write a rule that does not produce false positives is genuinely hard. GitHub issues with the good-first-issue label has worked best for us, LinkedIn drives awareness but rarely converts to a PR.

curious what adjacent space you are working in, always open to connecting with people who are thinking about the same problems.

[flyoung588]

Thanks Vishnu — really useful data point.

Adjacent space: I've been having this exact conversation with maybe 80 OSS maintainers over the last few days. You're the first who's both (a) explicitly said the recruiting pain is real, and (b) already actively running multiple channels for it. Most are still in the "haven't tried it yet, focused on the product first" phase — which on reflection makes sense, because their bottleneck is often "do we have any contributors at all," whereas yours is the much sharper "do we have contributors with the right domain expertise."

The good-first-issue + LinkedIn split you described is interesting too. My read is that labels work specifically because your archetype is fungible-once-qualified — "someone with Azure security posture experience" is googleable, labelable, filterable. For repos where the archetype isn't really labelable (very specific domain experience that doesn't map to a clean tag), labels don't filter anything. Different bottleneck shapes probably need different tools.

Genuine question back: when LinkedIn drives awareness but rarely converts to PRs — is that mostly because the awareness lands on people without Azure security depth (wrong audience), or because the people who do have the depth aren't motivated to contribute (right audience, wrong incentive)? Those would point at very different fixes.

Happy to keep the conversation going either way. Congrats on the OWASP shortlist — that's a real signal.