Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Vulnerability Coordination Across the Open Source Ecosystem
When a vulnerability affects a library used by thousands of projects, coordinating the fix is harder than writing the patch. The coordination problem is open source security's biggest operational challenge.
Sigstore Reaches GA: Free Software Signing for Everyone
Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.
npm Registry Security Gets Serious: 2022's Major Improvements
From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.
OSS Review Toolkit (ORT): Automating License Compliance at Scale
The OSS Review Toolkit handles license scanning, vulnerability detection, and compliance policy enforcement. Here's how to put it to work.
Rust Supply Chain Security: How crates.io Stacks Up Against npm and PyPI
Rust's crates.io registry has design advantages for supply chain security, but it's not immune. Here's an honest assessment of the Rust ecosystem.
Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself
The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons for every project, but also reveal challenges that scale creates.
Open Source Security Bounty Programs: Do They Actually Work?
Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complicated, with perverse incentives, quality problems, and funding gaps.
The Open Source Software Bill of Rights
As governments and enterprises demand more from open source maintainers, the community pushes back with a framework of rights. The tension between accountability and sustainability is shaping the future of open source.
Open Source Funding Models and Their Impact on Security
The way open source projects get funded directly shapes their security outcomes. From corporate sponsorship to bounty programs, each model creates different incentives and blind spots.
OpenSSF Alpha-Omega Project: Securing Open Source at Scale
The Alpha-Omega Project, backed by $5M from Google and Microsoft, aims to improve security of the most critical open source projects. Here's what it means for the ecosystem.
Rust Crate Supply Chain Security: Lessons from a Growing Ecosystem
As Rust adoption accelerates, its crate ecosystem faces the same supply chain threats that plague npm and PyPI. Here's what the Rust community is doing right — and where gaps remain.
Log4j and the Maintainer Burnout Crisis Nobody Talks About
The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the industry treats the people who maintain critical open source infrastructure.