Open Source Security Remains a Challenge

- All 12 of the OpenSSL vulnerabilities were discovered by an AI system from the security firm AISLE, marking a significant milestone for AI-powered security research in a codebase that has been heavily audited by humans for decades. - One of the most severe flaws found, CVE-2025-15467, is a stack buffer overflow with a "CRITICAL" 9.8 CVSS score, which could potentially allow for remote code execution. Some of the bugs discovered had remained in the code for over 25 years, with one predating the OpenSSL project itself. - The GitHub fund provides more than just money; each of the 67 projects receives $10,000, a three-week security training program, and a full year of mentorship and support from the GitHub Security Lab. - This funding initiative was launched in November 2024 in response to systemic risks highlighted by major incidents like the 2021 Log4Shell vulnerability, which prompted a White House-led effort to secure the open-source ecosystem. - The increasing reliance on open-source software within government and critical infrastructure has elevated its security to a national security concern for the U.S. and Europe. - Broader open-source supply chain attacks are a significant threat, having increased by over 400% between 2021 and 2023, according to one report.