The open-source ecosystem, and quite prominently the Cloud Native Computing Foundation (CNCF), have matured to the point where proprietary vendors are increasingly challenged in the areas of keeping up with formalities and documentation, historically one of their key advantages. Innovations such as OCI attestations and Vulnerability Exploitability eXchange (VEX) go beyond metadata – they have the potential to fundamentally change how software is procured and evaluated. This talk explores the concept of shared responsibility in software security and quality, focusing on practical initiatives in Germany, including the container ecosystem, the openCode platform and its Badge Programme: transparent standards, verifiable provenance, and community-driven approaches can strengthen digital sovereignty, improve supply chain security, and reshape the way public sector organisations adopt and reuse software.