open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
CVE-2025-9086 in cURL: Patch Posture & SBOM Response
Heap out-of-bounds read in libcurl's cookie path comparison affects nearly every Linux distro. Defender SBOM playbook below.
Open Source Maintainer Succession Planning: A Supply Chain Imperative
When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession planning for critical open source projects.
CVE-2025-49794 in libxml2: Patch Posture & SBOM Response
libxml2 use-after-free during XPath schematron parsing scored CVSS 9.1. Defender SBOM playbook for one of the most-embedded libraries on the planet.
Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning
Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.
Open Source Security Census 2025: Who Maintains the Code We All Depend On?
An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, often unpaid teams. Here is what the data shows and why it matters.
OSS Code of Conduct: Security Impact
Codes of conduct are not just social documents. They affect maintainer retention, contributor diversity, and ultimately the security posture of the project.
Open Source Security Funding in 2024: Who Pays for the Code We All Depend On
Despite growing recognition that open source underpins critical infrastructure, security funding remains fragmented and insufficient. A look at the numbers and what needs to change.
Forking Strategy for Enterprise OSS
Forking was once a last resort. In 2024 it became a standard response to license changes, governance failures, and stalled projects. A good forking strategy is now an enterprise competency.
Foundation-Neutral Governance Evaluation
CNCF, Linux Foundation, Apache, Eclipse — each has a different governance model. A practical evaluation of what that means for projects considering adoption.
OpenSSF Scorecard Adoption Metrics: Late 2024
OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are actually predictive.
Open Source Foundation Governance Models
The Linux Foundation, Apache Software Foundation, CNCF, and Eclipse each codify different theories of how open source projects should be governed. The differences matter more than most adopters realize.
Labyrinth Chollima and Open Source Targeting
Labyrinth Chollima's operations show a specific pattern — poisoned open source packages as initial access. A profile of the tradecraft and the defensive response.