Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Compliance

License Compliance Debt: The Quiet Risk Growing Alongside...

Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.

Aug 12, 20257 min read
Open Source Security

Why 'Time to Fix' Is a Better Supply Chain Metric Than Vu...

Vulnerability counts measure how hard you're looking, not how exposed you are. Here's why mean time to remediate is the metric that actually predicts breach risk.

Aug 12, 20259 min read
Open Source Security

The Long Tail of Abandoned Open Source Projects and Enter...

Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.

Aug 12, 20257 min read
Open Source Security

Monorepo vs Polyrepo: How Architecture Choices Shape Supp...

Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.

Aug 11, 20257 min read
Open Source Security

What a Decade of Open Source Vulnerability Data Tells Us ...

CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.

Aug 11, 20258 min read
Open Source Security

Direct vs Transitive Vulnerabilities: Why the Distinction...

Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.

Aug 11, 20258 min read
Open Source Security

How Package Manager Design Choices Influence Supply Chain...

npm, PyPI, RubyGems, Go, and Cargo each made different design bets on install scripts, namespacing, and signing — and those bets directly shape supply chain attack surface.

Aug 11, 20258 min read
Open Source Security

The Economics of Free Riding in Open Source Security

Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.

Aug 10, 20258 min read
Vulnerability Analysis

Why Vulnerability Disclosure Timelines Still Vary Wildly ...

Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.

Aug 10, 20257 min read
Open Source Security

From Log4Shell to Now: What Changed and What Didn't in Su...

Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.

Aug 10, 20258 min read
Open Source Security

The Hidden Risk of Copy-Pasted Code Snippets from Forums ...

Copy-pasted code from Stack Overflow and AI chats often ships with hidden vulnerabilities. Here's the data behind the risk, real breaches it caused, and how to catch it.

Aug 10, 20258 min read
Open Source Security

Do Bug Bounties Actually Reduce Open Source Risk? An Inde...

Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.

Aug 9, 20257 min read
open-source-security (Page 25) — Safeguard Blog