Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Vulnerability Coordination Across the Open Source Ecosystem

When a vulnerability affects a library used by thousands of projects, coordinating the fix is harder than writing the patch. The coordination problem is open source security's biggest operational challenge.

Nov 12, 20227 min read
Open Source Security

Sigstore Reaches GA: Free Software Signing for Everyone

Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.

Oct 15, 20226 min read
Open Source Security

npm Registry Security Gets Serious: 2022's Major Improvements

From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.

Oct 1, 20226 min read
Open Source Security

OSS Review Toolkit (ORT): Automating License Compliance at Scale

The OSS Review Toolkit handles license scanning, vulnerability detection, and compliance policy enforcement. Here's how to put it to work.

Sep 28, 20226 min read
Open Source Security

Rust Supply Chain Security: How crates.io Stacks Up Against npm and PyPI

Rust's crates.io registry has design advantages for supply chain security, but it's not immune. Here's an honest assessment of the Rust ecosystem.

Sep 8, 20226 min read
Open Source Security

Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself

The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons for every project, but also reveal challenges that scale creates.

Sep 8, 20227 min read
Open Source Security

Open Source Security Bounty Programs: Do They Actually Work?

Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complicated, with perverse incentives, quality problems, and funding gaps.

Aug 18, 20226 min read
Open Source Security

The Open Source Software Bill of Rights

As governments and enterprises demand more from open source maintainers, the community pushes back with a framework of rights. The tension between accountability and sustainability is shaping the future of open source.

Jul 20, 20226 min read
Open Source Security

Open Source Funding Models and Their Impact on Security

The way open source projects get funded directly shapes their security outcomes. From corporate sponsorship to bounty programs, each model creates different incentives and blind spots.

May 22, 20227 min read
Open Source Security

OpenSSF Alpha-Omega Project: Securing Open Source at Scale

The Alpha-Omega Project, backed by $5M from Google and Microsoft, aims to improve security of the most critical open source projects. Here's what it means for the ecosystem.

Apr 28, 20225 min read
Open Source Security

Rust Crate Supply Chain Security: Lessons from a Growing Ecosystem

As Rust adoption accelerates, its crate ecosystem faces the same supply chain threats that plague npm and PyPI. Here's what the Rust community is doing right — and where gaps remain.

Jan 20, 20225 min read
Open Source Security

Log4j and the Maintainer Burnout Crisis Nobody Talks About

The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the industry treats the people who maintain critical open source infrastructure.

Jan 18, 20227 min read
Open Source Security (Page 33) — Supply Chain Security Blog | Safeguard