Over 90% of modern software includes open source components. The average application has 200+ open source dependencies, most of which are pulled in transitively — dependencies of dependencies that developers never explicitly chose. This ecosystem powers everything from personal projects to critical infrastructure, and its security posture is one of the most important — and most fragile — aspects of the modern software supply chain.
A pattern of close calls
The last several years have produced a series of incidents that illuminate the structural vulnerabilities in open source:
Heartbleed (2014) revealed that OpenSSL — the cryptographic library protecting most of the internet’s encrypted traffic — was maintained by two people with minimal funding. Log4j (2021) showed that a critical vulnerability in a ubiquitous library could be embedded in millions of applications as a transitive dependency that most organizations didn’t know they had. XZ Utils (2024) demonstrated that a determined attacker could socially engineer a sole maintainer over multiple years to gain commit access and insert a backdoor.
The XZ Utils backdoor was discovered not by any security tool or code review process, but because one engineer noticed a 500-millisecond latency increase in SSH logins and was curious enough to investigate.
Each incident reveals a different facet of the same structural problem: the open source ecosystem that critical infrastructure depends on is under-resourced, under-governed, and under-protected.
The funding gap
The disconnect between the value open source provides and the resources invested in its security is stark. Companies worth hundreds of billions depend on libraries maintained by individuals or small teams, often without compensation. When those maintainers burn out, step away, or can’t keep up with security demands, the entire downstream ecosystem inherits the risk.
The question isn’t whether we can afford to fund open source security — it’s whether we can afford the cost of not funding it. Each major incident costs billions in aggregate damage, dwarfing the investment needed to prevent them.
Several funding models are emerging: corporate sponsorship through foundations like OpenSSF, government investment through CISA and the EU Cyber Resilience Act, and programs like the Sovereign Tech Fund that directly fund critical open source infrastructure. But funding alone doesn’t solve the problem — governance, review practices, and tooling all need investment.
The tooling response
The security community has responded with an increasingly mature set of tools and initiatives:
- OpenSSF Scorecard — automated security assessment of open source projects
- Sigstore — free code signing infrastructure that eliminates the key management barrier
- SLSA framework — supply chain integrity levels for software artifacts
- SBOMs — Software Bills of Materials that inventory all components in a software stack
- OSV.dev — open vulnerability database with API access
Executive Order 14028 and the EU Cyber Resilience Act are moving open source security from voluntary best practice to regulatory requirement. Organizations that depend on open source — which is nearly all of them — need to understand their exposure.
What organizations should do now
- Generate SBOMs for your applications — you can’t secure what you can’t see
- Scan dependencies regularly with tools like pip-audit, npm audit, or Trivy
- Evaluate critical dependencies against OpenSSF Scorecard
- Fund the open source you depend on — even small contributions help sustain maintainers
- Prepare for regulation — SBOM requirements and vulnerability disclosure obligations are coming
The open source security problem won’t be solved by any single initiative. It requires sustained investment, better tooling, stronger governance, and a cultural shift from treating open source as free infrastructure to recognizing it as shared infrastructure that requires shared investment.
Want to dig deeper? Explore the project repository for the full landscape analysis, funding model comparison, governance best practices, and a reference guide to security tools and initiatives.
