“What we’re seeing is years of lack of investment sustainment in open-source software that is finally starting to catch up to us, where it seems like every week there’s a new supply chain compromise,” said Jack Cable, who worked on open-source security at the Cybersecurity and Infrastructure Security Agency before departing under President Donald Trump.
Project Glasswing’s scan: thousands of flagged vulnerabilities, few fixes
One striking metric drives the urgency: Project Glasswing said it found 6,202 high- or critical-severity vulnerabilities in a scan of more than 1,000 open-source projects. The group disclosed only 502 of those findings to maintainers, and as of May 22 only 75 had been patched, Project Glasswing reported. That gap — between discovery, disclosure and remediation — encapsulates the practical problem experts describe: discovery capabilities, including advances in AI, are racing ahead of the processes and resources that turn findings into fixes.
Why attackers prize open-source supply chains
Sources in the reporting point to a simple incentives story: attackers “go to the area where they can get the highest return on their work,” because compromising open-source components offers access into downstream supply chains and widely used systems. Æva Black, who worked on open-source security at CISA before leaving when President Trump returned to office, said the potential blast radius has expanded as open source moved from niche to ubiquitous — “from modern cars to satellites.”
Other practitioners stress the structure of open source itself: Daniel Stenberg, creator and maintainer of cURL, noted many projects are maintained by small teams and volunteers and therefore under-resourced. Dan Lorenc, CEO and co-founder of Chainguard, added that open-source projects often lack a coordinated vulnerability-disclosure mechanism and that maintainers can be hard to reach or overwhelmed by reports — a problem amplified by unverified AI-generated findings.
Policy shifts at CISA and in Washington
The reporting traces a brief period of government attention after the 2021 Log4j incident and then a retrenchment in some areas. Jen Easterly, then the director of CISA, called Log4j “one of the most serious I’ve seen in my entire career,” and the Cyber Safety Review Board later concluded fast action from industry and government averted a disaster while also highlighting the thinly resourced volunteer-based open-source community.
After Log4j, the U.S. government created the Open-Source Software Security Initiative and hired open-source specialists at CISA. But under President Trump, many of those hires departed — the report names Æva Black, Tim Pepper and Anjana Rajan among those no longer at CISA — and personnel cutbacks have reduced capacity. The Trump administration cyber strategy does not mention open-source. Jack Cable called the loss of those experts “unfortunate” and said rebuilding capacity will be difficult.
Still, activity continues: Nick Andersen, the acting director of CISA, told CyberScoop that open-source security “is an area of particular concern” and that CISA is “accelerating our hiring in critical areas.” Legislative movement has been mixed. The Securing Open Source Software Act, which Cable helped draft while on Senate staff, has stalled since its 2022 introduction, though a portion of the bill was folded into the Department of Homeland Security funding law that President Trump signed in April, directing CISA to brief Congress on the value of an open source program office. Senate Intelligence Committee Chairman Tom Cotton has pressed the executive branch on foreign adversary influence in open-source code, and House defense authorization language asks the Defense Department CIO to report on securing open-source supply chains.
Europe’s regulatory path: Germany grants and the Cyber Resilience Act
Beyond the United States, the story highlights concrete steps elsewhere. Germany devotes grants to open-source project security, and the Cyber Resilience Act (CRA) adopted by the Council of the European Union in 2024 requires entities that use open-source products commercially to take certain security measures. Æva Black said CISA had discussed compatible approaches with European counterparts while she was at the agency but that momentum stalled after the change in administration — “Europe kept rolling,” she said, and now has a legal framework “set to really reshape open-source security” for anyone who wants to work with Europe on open source.
What this means for project maintainers, companies, and the Defense Department
- Project maintainers: Many maintainers will continue to face a deluge of reports and limited resources; the lack of a systematic disclosure pipeline means maintainers are often the bottleneck, said Dan Lorenc and other practitioners.
- Companies that rely on open source: Experts such as Æva Black say companies have not implemented consistent “responsible and safe utilization pathways” and must increase diligence and investment in dependencies and patching.
- The Defense Department and national-security overseers: Congressional direction in defense legislation reflects worry about “foreign influence in open source code,” and report language is intended to increase visibility into origins, maintenance and security of OSS dependencies, a concern echoed by Hayden Smith and others involved in defense supply-chain work.
Voices in the reporting diverge on remedies. Dan Lorenc argued “open source isn’t governable” as traditionally conceived and proposed a neutral nonprofit to coordinate disclosures and stewardship transfers. Alex Zenla and others warned against blunt isolationist responses to foreign contributors, noting that many external contributions are valuable. The record in the article is clear: the technical scale of discovered vulnerabilities, shifting U.S. government capacity, and new European regulation have combined to make open-source security both a practical and policy problem — one where discovery outpaces the ability to patch, and where answers will require coordination among maintainers, companies, and governments.
https://cyberscoop.com/open-source-software-security-crisis/
