Customer Stories

Trusted by the enterprises that can’t afford downtime.

From Fortune 100 financial institutions to national healthcare networks — here’s how enterprise teams use OSSeva to stay patched, compliant, and operational.

20+
Enterprise customers
6
Industries served
0
Audit findings on our watch
Financial ServicesOSSeva Assure

Top 3 US Bank

Outcome

Passed OCC technology audit without a single finding related to unsupported software for the first time in three years.

Challenge

Running PostgreSQL 11 across 40+ production databases with no upstream security patches available, exposing the institution to unacceptable regulatory and audit risk under OCC guidelines.

Solution

OSSeva delivered monthly CVE patches for PostgreSQL 11, produced compliance documentation mapped to OCC and FFIEC controls, and provided 24/7 incident response SLAs.

PostgreSQL

OSSeva gave us the audit evidence package we needed on day one. Our examiners saw a mature extended support posture and moved on.

Chief Information Security Officer
RetailOSSeva Patch

National Leading Retailer

Outcome

Reduced OSS support costs by 71% compared to prior Tanzu commercial licensing while maintaining full CVE coverage.

Challenge

Broadcom's VMware Tanzu pricing increase made continuing Spring commercial support financially untenable, yet 200+ microservices depended on Spring Framework 5.x with no migration budget or timeline.

Solution

OSSeva provided extended security support for Spring Framework 5.3 and Spring Boot 2.7, delivering patched builds and CVE remediation directly into the customer's artifact repository.

Spring FrameworkSpring Boot

When Broadcom's renewal came in at four times the prior year cost, OSSeva was the obvious answer. We got better patch turnaround at a fraction of the price.

VP of Platform Engineering
HealthcareOSSeva Operate

Global Healthcare Network

Outcome

Eliminated all critical and high CVEs on clinical messaging infrastructure within 30 days and maintained zero-breach status through a subsequent HHS audit.

Challenge

A network of 38 hospitals relied on RabbitMQ 3.8 for critical clinical messaging, an end-of-life version that could not be patched by internal teams and posed HIPAA-reportable vulnerability exposure.

Solution

OSSeva assumed full managed operations for RabbitMQ 3.8 across all hospital clusters, applying security patches and delivering HIPAA-aligned compliance documentation monthly.

RabbitMQ

Patient data flows through our RabbitMQ clusters every second. OSSeva gave us the coverage we needed without forcing a disruptive migration mid-fiscal year.

Director of Healthcare IT Infrastructure
Financial ServicesOSSeva Assure

Fortune 500 Financial Services Firm

Outcome

Passed SOC 2 Type II audit without revision, with auditors citing OSSeva's evidence package as a model for third-party OSS risk management.

Challenge

Redis OSS 6.x reached end of life and the organization faced pressure from their SOC 2 auditors to demonstrate a credible vulnerability management program for the caching layer underpinning their trading platform.

Solution

OSSeva provided patched Redis 6.x builds with CVE remediation SLAs of 14 days or fewer, plus a SOC 2 evidence pack covering change management, vulnerability disclosure, and patch verification.

Redis

Our auditors had never seen OSS extended support handled this cleanly. The evidence package closed every open item before the fieldwork even started.

Head of IT Risk and Compliance
GovernmentOSSeva Assure

Large Federal Government Agency

Outcome

Resolved outstanding ATO finding in 45 days and maintained continuous ATO status through the next annual assessment cycle.

Challenge

Agency systems ran Apache Kafka 2.8 on a FedRAMP boundary with no approved patch source after community EOL, creating a continuous ATO maintenance finding that risked suspension of their authorization.

Solution

OSSeva delivered FedRAMP-aligned patch documentation and hardened Kafka 2.8 builds, providing the artifact provenance and STIG-compatible configurations required by the agency's authorizing official.

Apache Kafka

The ATO finding had been open for eight months. OSSeva came in, understood the FedRAMP documentation requirements immediately, and closed it.

Information System Security Officer
InsuranceOSSeva Patch

Top 5 US Insurance Carrier

Outcome

Reduced open CVE count from 14 to zero within 21 days and held that posture across six subsequent monthly patch cycles.

Challenge

The carrier's policy administration platform depended on PostgreSQL 12 and Redis 6 in combination, with internal security scans surfacing 14 unpatched CVEs that could not be remediated without upstream support.

Solution

OSSeva delivered coordinated patch releases for both PostgreSQL 12 and Redis 6, with regression-tested builds validated against the carrier's existing schema and data access patterns.

PostgreSQLRedis

Having one vendor coordinate patches across two different OSS components saved us enormous internal coordination overhead. Everything landed tested and documented.

VP of Application Security
ManufacturingOSSeva Operate

Tier 1 Automotive Manufacturer

Outcome

Achieved IEC 62443 SL-2 compliance for the messaging layer across all 12 facilities, unblocking a planned factory automation expansion.

Challenge

Factory floor IoT messaging ran on RabbitMQ 3.9 across 12 production facilities globally, with OT security teams unable to accept the risk of an unpatched message broker on networks adjacent to operational technology.

Solution

OSSeva provided managed RabbitMQ operations including patching, configuration hardening, and 24/7 monitoring, delivering monthly security reports aligned to IEC 62443 OT security requirements.

RabbitMQ

Our OT security team had blocked the automation project for two quarters over the messaging broker risk. OSSeva resolved it in weeks.

Global Head of OT Security
HealthcareOSSeva Assure

Leading Regional Health System

Outcome

Remediated all 23 open CVEs within 60 days and achieved HITRUST CSF certification on the EHR integration platform on first attempt.

Challenge

A Spring Boot 2.x microservices platform supporting EHR integrations had accumulated 23 open CVEs with no internal capacity to backport fixes after the Spring commercial support window closed.

Solution

OSSeva delivered patched Spring Boot 2.7 and Spring Security 5.x builds with a 30-day remediation SLA, producing HIPAA and HITRUST evidence packages for each patch cycle.

Spring BootSpring Security

HITRUST certification had been blocked by the open CVEs for over a year. OSSeva cleared the backlog and gave us the documentation to close the certification.

Chief Information Security Officer
LogisticsOSSeva Operate

National Logistics and Freight Company

Outcome

Completed migration from Kafka 2.6 to Kafka 3.6 in 11 weeks with zero downtime and zero data loss across all shipment tracking topics.

Challenge

Real-time shipment tracking depended on Apache Kafka 2.6 processing 4 million events per day, but the platform had gone EOL with three critical CVEs open and no internal Kafka engineering expertise to manage backports.

Solution

OSSeva assumed full managed operations for the Kafka 2.6 cluster including patching, performance tuning, and on-call support, with a parallel migration roadmap to Kafka 3.x delivered within the engagement.

Apache Kafka

We had no Kafka engineers on staff and a platform that could not go down. OSSeva operated it safely and moved us forward at the same time.

SVP of Technology
EnergyOSSeva Assure

Fortune 500 Energy Company

Outcome

Satisfied NERC CIP-007 patch management requirements at the next audit with zero non-compliances, avoiding potential fines of up to $1M per violation per day.

Challenge

SCADA-adjacent systems ran PostgreSQL 13 with NERC CIP compliance requirements demanding documented vulnerability management and patch SLAs that upstream community support could no longer provide.

Solution

OSSeva delivered NERC CIP-aligned extended support for PostgreSQL 13, providing patch documentation, evidence of testing procedures, and audit-ready reports satisfying CIP-007 patch management requirements.

PostgreSQL

NERC CIP patch management requirements are unforgiving. OSSeva's documentation was built for auditors, not just engineers.

Director of Operational Technology Security
MediaOSSeva Patch

Global Media and Entertainment Company

Outcome

Passed PCI DSS Level 1 assessment without any open findings against the caching infrastructure for the first time in two assessment cycles.

Challenge

Streaming content delivery relied on Redis Cluster running version 6.x as a session and rate-limiting cache, with PCI DSS requirements demanding a patched and documented software stack that could not be satisfied post-EOL.

Solution

OSSeva provided patched Redis 6.x builds with PCI DSS SAQ evidence packs, delivering quarterly vulnerability assessment reports and patch verification artifacts aligned to PCI DSS Requirement 6.

Redis

Our QSA flagged the Redis version every single year. OSSeva closed that finding permanently with documentation the QSA accepted without question.

VP of Platform Security
HealthcareOSSeva Operate

National Specialty Pharmacy Chain

Outcome

Completed RabbitMQ migration in 8 weeks and satisfied the DEA corrective action requirement 14 days ahead of the regulatory deadline.

Challenge

Drug dispensing systems depended on RabbitMQ 3.8 for order routing, and DEA compliance audits flagged the EOL messaging platform as a systemic risk requiring a corrective action plan within 90 days.

Solution

OSSeva delivered a corrective action plan with immediate CVE patches for RabbitMQ 3.8, compliance documentation, and a managed migration to RabbitMQ 3.13 completed within the regulatory deadline.

RabbitMQ

We had a regulatory clock running and needed both immediate patching and a migration path. OSSeva delivered both without us having to choose.

Chief Compliance Officer
Financial ServicesOSSeva Assure

Global Investment Management Firm

Outcome

Closed ISO 27001 control deficiency within 60 days and achieved surveillance audit certification renewal with zero major nonconformities.

Challenge

Risk calculation services ran Spring Framework 5.3 on end-of-life status, and the firm's ISO 27001 auditors cited the lack of a supported patch program as a control deficiency requiring remediation within one audit cycle.

Solution

OSSeva provided extended support for Spring Framework 5.3 with ISO 27001 Annex A-mapped patch documentation, delivering controlled change evidence and vulnerability disclosure records for each release.

Spring Framework

The ISO auditors wanted to see process, evidence, and SLAs. OSSeva had all three ready before we even asked.

Information Security Manager
Financial ServicesOSSeva Patch

Top 10 US Retail Bank

Outcome

Reduced open CVEs from 11 to zero and closed the six-month internal compliance exception within a single quarter.

Challenge

Core banking message processing ran on Apache Kafka 2.7 with 11 open CVEs and an internal policy requiring all critical infrastructure to run on actively supported software, creating a compliance exception that had been escalating for six months.

Solution

OSSeva remediated all 11 CVEs in Kafka 2.7 within 30 days and established an ongoing patch program with FDIC examination-ready documentation, resolving the internal policy exception.

Apache Kafka

Six months of exception escalation ended in four weeks. The internal audit team closed the finding and moved on.

Head of Core Banking Technology
InsuranceOSSeva Assure

National Property and Casualty Insurer

Outcome

Satisfied state insurance department examination requirements and received a clean supervisory letter with no required corrective action on software currency.

Challenge

Claims processing microservices built on Spring Boot 2.6 and PostgreSQL 11 were flagged in a state insurance department examination for operating on unsupported open-source components without a documented remediation program.

Solution

OSSeva provided simultaneous extended support for Spring Boot 2.6 and PostgreSQL 11, delivering state regulator-ready compliance documentation and a structured upgrade roadmap accepted by the examination team.

Spring BootPostgreSQL

State examiners are not technically deep, but they know what a compliance gap looks like. OSSeva's documentation told the right story.

Chief Risk Officer
GovernmentOSSeva Patch

Large Municipal Transit Authority

Outcome

Maintained FTA compliance and secured continued federal grant eligibility, avoiding an estimated $4.2M in potential grant clawback risk.

Challenge

Passenger information systems and real-time vehicle tracking relied on Redis 5.x and RabbitMQ 3.7, both well past EOL, with no budget for a full platform replacement and FTA federal grant compliance requirements looming.

Solution

OSSeva delivered extended support patches for both Redis 5.x and RabbitMQ 3.7, producing FTA-aligned compliance documentation that satisfied the agency's federal oversight reporting requirements.

RedisRabbitMQ

We could not afford a platform replacement and we could not afford to lose the federal grant. OSSeva gave us a third option we did not know existed.

Chief Technology Officer
ManufacturingOSSeva Operate

Global Tier 1 Semiconductor Manufacturer

Outcome

Reduced Kafka-related engineering overhead by an estimated 1,800 hours annually and eliminated all production incidents attributable to unpatched vulnerabilities.

Challenge

Fab yield analytics platform processed petabytes of sensor data through Apache Kafka 2.8 clusters, but the engineering team had no capacity to manage Kafka operations while simultaneously delivering on a major product roadmap.

Solution

OSSeva assumed full managed operations for the Kafka 2.8 environment including cluster health, patching, capacity planning, and on-call escalation, freeing the internal team to focus on product development.

Apache Kafka

We were spending senior engineering time on Kafka operations instead of yield improvement algorithms. OSSeva took that burden completely off our plate.

VP of Engineering, Data Platforms
Financial ServicesOSSeva Assure

National Online Brokerage Platform

Outcome

Submitted FINRA response package within 18 days and received no further examination findings on OSS vulnerability management in the subsequent review cycle.

Challenge

Order execution systems depended on Redis Cluster 6.x as the low-latency cache layer, with FINRA examination staff citing unpatched open-source components as a risk management deficiency requiring a written response within 30 days.

Solution

OSSeva delivered a written FINRA response package, patched Redis 6.x builds, and an ongoing vulnerability management program with quarterly reporting designed to satisfy FINRA Rule 4370 business continuity and technology risk requirements.

Redis

FINRA gave us 30 days to respond. OSSeva drafted the response, patched the software, and set up the ongoing program. We hit the deadline with days to spare.

Chief Compliance Officer
ManufacturingOSSeva Patch

Fortune 500 Consumer Packaged Goods Company

Outcome

Reduced annual OSS support spend by 68% compared to Broadcom commercial licensing while improving average CVE patch turnaround from 47 days to 12 days.

Challenge

Global ERP integration middleware ran on Spring Integration 5.x with RabbitMQ 3.8 as the message backbone, both EOL, and a Broadcom pricing event made commercial support renewals cost-prohibitive across 6 regional data centers.

Solution

OSSeva replaced the Broadcom commercial support contract for both Spring Integration 5.x and RabbitMQ 3.8, delivering patched artifacts to all 6 regional artifact repositories and absorbing the full CVE monitoring and remediation workload.

Spring IntegrationRabbitMQ

Broadcom's pricing was a forcing function, but switching to OSSeva actually gave us faster patches and better documentation. We should have moved sooner.

Enterprise Architect, Integration Platform
HealthcareOSSeva Assure

Large Academic Medical Center

Outcome

Achieved Joint Commission recertification and satisfied NIH security requirements for two active research grants totaling $18M in funding.

Challenge

Research data platforms and clinical trial systems ran on PostgreSQL 12 and 13 with Joint Commission and NIH grant compliance requirements that could not be met without an active, documented patch program for database infrastructure.

Solution

OSSeva provided extended support for PostgreSQL 12 and 13 across clinical and research environments, delivering HIPAA, Joint Commission, and NIH security framework-aligned compliance packages for each patch cycle.

PostgreSQL

NIH grant reviewers scrutinize your security posture now. OSSeva's documentation gave our grants office the evidence they needed to check every box.

Director of Research Computing

Frequently asked questions

What is OSSeva and who is it for?

OSSeva is an enterprise extended lifecycle support provider for open-source software. It is for large enterprises — Fortune 500 and Global 2000 companies — that run open-source middleware, databases, and frameworks at scale, in regulated environments, and cannot immediately migrate when community support ends. Our customers are typically platform engineers, SRE leads, and CISOs at financial services, healthcare, retail, and technology companies.

Is OSSeva a division of AceMQ?

Yes. OSSeva is a division of AceMQ Ltd., a global enterprise consulting firm with over 12 years of enterprise messaging and data expertise. AceMQ was built on deep RabbitMQ and distributed messaging engineering, and OSSeva extends that expertise to the full enterprise open-source stack.

What makes OSSeva engineers qualified to patch these runtimes?

Our engineering team includes individuals with deep Erlang/OTP and RabbitMQ internals expertise, former contributors to the Spring Framework and Spring Security projects, PostgreSQL DBA and C-level contributors, and Kafka committer-level expertise. OSSeva is one of only two commercial entities — alongside Broadcom — with the engineering depth to produce production-quality CVE backports for community RabbitMQ versions.

Which enterprise customers does OSSeva serve?

OSSeva serves Global 2000 enterprises across financial services, healthcare, retail, and technology. Notable reference deployments include top-3 US banks, national retailers, and technology firms with Fortune 50 clients. Customer names are disclosed on a named-reference basis following customer approval — contact us for a reference call relevant to your industry.

Join these teams. Book a discovery call.

Tell us which technologies you're running and we'll build a custom support proposal in 48 hours.

Book a Discovery CallView Services