A new Open Source Strategy Simulator challenge is live.
The Situation
A critical vulnerability (CVSS 9.8) has been disclosed in an open source library that runs across multiple production systems.
Engineering teams depend on it.
Security is alarmed.
Delivery deadlines are tight.
As an OSPO or open source strategy leader, you must decide how to respond, not just tactically, but structurally.
The Challenge
In this scenario, you’ll face the Supply Chain Hydra, a representation of hidden dependencies, transitive risk, and lack of visibility.
You must choose one of three paths:
A) Immediate patch + SBOM enforcement
Strong long-term resilience, slower short-term delivery.
B) Hotfix and move on
Fast, but fragile.
C) Hybrid dependency strategy
Centralize what’s critical, decentralize the rest.
Each decision impacts:
-
Speed of Innovation
-
Scalability
-
Security
-
Trust
-
Adoption
-
Costs
After choosing, the dilemma plays out as a short, RPG-style mini-simulation, not to “gamify” the problem, but to make cause-and-effect visible.
Why this matters
Supply chain incidents aren’t just security problems.
They’re organizational design problems.
This simulator is designed to help:
-
OSPO leaders
-
Platform teams
-
Engineering managers
-
Students of open source strategy
…practice decision-making before those decisions show up in production.
What would you choose, and what trade-offs are you willing to accept?
Share your reasoning in the comments.