An open-source steward is the person or team inside an enterprise that owns governance for open-source software. The role usually covers policy decisions, component approval, license and security review, dependency tracking, and escalation when an upstream project becomes risky. In practice, the steward connects legal, engineering, and security teams so open-source use is managed consistently instead of informally.
This matters in cyber security because open-source code is everywhere in modern products, and attackers often target the software supply chain rather than a single app. A steward helps maintain inventory, monitor vulnerabilities, decide when to patch or replace a dependency, and document security choices for audits and regulations such as the EU Cyber Resilience Act. In defense, the role supports SBOM work, vulnerability triage, and release gating; in an incident, it speeds up identification of affected products and the path for coordinated response.