I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark any changes to the post due to errors, feel free to check back and see what I got wrong. Since the CVE people won’t tell us anything useful, let’s use Cunningham’s Law to our advantage. ...

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. Episode Links Alan Syft Grype Grant Linux Matters podcast https://anchore.com/opensource/ This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for CVE fell through, panic ensued, then CISA found some temporary funds to keep the lights, so everything is fine and we can all go back to normal. Well, some of us won’t go back to normal because the CISA funding is good for 11 months. Will there be more funding in 11 months? Will an asteroid destroy the Earth in 2032? Will society still exists at Christmas? Nobody really knows. Well that asteroid one, we sort of know that. We’ll be fine. Yay science! ...

Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the “vulnerable until proven otherwise” approach is the best path forward for end of life software. Episode Links This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all. The TL;DR is I went to a different conference that I thought was a better use of my time. The conference I went to was Cyphercon and BSides Milwaukee. They are regional conferences in Wisconsin. Good people, great shows, a lot of fun and learning. Yeah, it was technically the week before VulnCon, but I lack the fortitude to do two conferences back to back. Some people can, I tip my hat to those folks. I’m not one of them. I should be clear though, this isn’t the only reason. I also don’t think VulnCon should exist (more on that at the end). ...

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how automated checks can catch breaking changes before they’re released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem. Episode links Predrag’s Mastodon Predrag’s Blog “We never update unless forced to” — cargo-semver-checks 2024 Year in Review cargo-semver-checks issue 5 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also spend some time discussing a project he works on called Radicle, a distributed Git forge. It feels like having decentralized infrastructure might be more important than it’s ever been, for some reason. ...

When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton. Episode links William’s Mastodon Yubico FEITIAN Token2 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

When Luis Villa said he was willing to talk to me about the CRA I knew it would be a great conversation. The number of actual lawyers who also work on open source issues isn’t a large number. Luis is one of those people and he has a ton of knowledge and insight he’s willing to share. Open source legal issues are especially weird because the very nature of the open source license was to hack copyright to give us more rights instead of less. So what did Luis have to tell us about the CRA? ...