Notices by Josh Bressers (joshbressers@infosec.exchange)

@Viss @wdormann every AI vulnerability company wants to find something juicy, and have no idea how to coordinate the findings

@gregkh @wdormann @Viss

This post got into my head. I think you're right, the days of coordination are over

So I wrote it down
https://opensourcesecurity.io/2026/05-vulnerability-economics/

I love the hot takes that this Trivy debacle will be the end of open source

Heartbleed didn't kill open source
Log4Shell couldn't get the job done
xz tried and failed

This won't kill it either

Free is too good of a deal

This week on #OpenSourceSecurity I have a chat with @algernon about @iocaine

Iocaine creates a maze of garbage to trap scraping bots. I love this idea, it has amazing chaotic good energy!

I learn all about how Iocaine works, and even got to see some dashboards showing off the size of the problem and how Iocaine handles it all.

https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/

OK open source security nerds, I need your help

I have a podcast youtube show thing called Open Source Security

https://opensourcesecurity.io/

I'm always looking for guests. Back when I changed formats in January I had a pretty large list of people sent to me as suggestions. I've made it through the list (it took me 10 months)

If you know someone (or are someone) doing open source security work I would love a suggestion. DMs are open and there are other contact things on the website

I especially like guests who are unsung heroes

@ryanc @lemonlolita the lower decks tuvix episode is solid gold. You should watch it after this

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

@adamshostack This post has been living for free in my head for a few days

The part I'm most pondering is how not just anyone can build a bridge. We have a very defined field for who is allowed to design and build bridges

And when it does fail, there are incredibly detailed investigations

And those investigations end up changing the rules for future bridges (and might even result in existing bridges getting an upgrade)

While in cybersecurity, I think we are basically at the "random person build bridge out of stuff they found in the woods" stage of bridge building

It's also worth noting, it took hundred (probably thousands) of years to get to the place we are with bridge building

There's a discord server a bunch of vulnerability nerds hang out in I run. We'll be talking about what's happening with #CVE for the foreseeable future (good, bad, and ugly)

Everyone is welcome to join, feel free to lurk, ask questions, or suggest ideas

https://discord.gg/gSCrXxMuPx

@gregkh @TheNewStack @badger @sjvn

Working to fix the CVE problems should be applauded

But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday

Expecting that person to become a CNA is 🍌

They should be able to control their CVE data also, but today they can't

@sjvn @TheNewStack

Ugh, please don't normalize "every open source projects needs to be a CNA"

Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA

Curl and the Kernel became CNAs because the CVE process is broken

This episode #OpenSourceSecurity talks to @sheogorath about forking open source projects

It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc

It's a fun chat filled with lessons

https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/

I had a chat with @grimmy on #OpenSourceSecurity about maintaining an open source project for more than 20 years (Gary maintains Pidgin)

It's a fun conversation that brought back many memories as well as some lessons for everyone involved in open source

https://opensourcesecurity.io/2025/01-open_source_maintenance_with_gary_kramlich/

Being on the "Top 10 CVE assigners of 2025" list probably isn't something fortinet is very excited about :)

Now that 2025 is here, it's time to wind down the #osspodcast

It was a fun run, but it was time to be done.

I have a new project I'm calling "Open Source Security" (the domain is too good to not do something with it)

I want to chat with people securing the use and creating of open source. I explain a lot more in the blog post (which also has audio)

If you're one of these people, let me know! There are a lot of lessons for us all, and the people doing the best work aren't being listened to

https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/

@bagder @pluralistic the solution is obviously more AI

It’s the one trick THEY don’t want you to know!!!

@sethmlarson Ooohhh, actually, I wonder if it's the fault of @ecosystems

They had some data issues around that time I think

@sheogorath @sethmlarson

Goodness no. This is pretty confusing stuff, the questions help me double check I'm not missing something

I appreciate the questions

@sheogorath @sethmlarson

I will accept that as the spike, but there are over 2 years of 1000 (give or take) removals per month, then it drops to 100

Hey @sethmlarson

I'm doing some investigation on how often the various ecosystems are removing packages. Do you know why PyPI had this decrease in the number of removed packages in the middle of May?