More Open Source Security episodes
Published 16 Feb 2026
Duration: 34:24
Vulnerability management is hindered by the shortcomings of the CVE program, but the proposed Global Vulnerability Intelligence Platform aims to improve global collaboration, standardization, and transparency.
Josh chats with Olle Johansson about the Global Vulnerability Intelligence Platform (GVIP). It's no secret the current vulnerability systems are reach...
The podcast examines the growing challenges in vulnerability management, particularly highlighting the shortcomings of the CVE (Common Vulnerabilities and Exposures) program. Issues such as its U.S. government-centric structure, lack of standardization, and limited funding are noted as obstacles to effectively managing the rising number of software vulnerabilities. As open source software becomes more widespread and complex, the current vulnerability reporting system is perceived as inadequate and fragmented, leaving gaps in coverage and response.
To address these issues, the Global Vulnerability Intelligence Platform (GVIP) is introduced as a community-driven initiative aiming to improve global collaboration, standardization, and transparency in vulnerability intelligence. The project seeks to broaden funding sources, engage a wider range of stakeholders, and develop more accessible and usable data formats. The discussion emphasizes the need for better governance, stakeholder engagement, and regulatory influence to shift industry priorities toward security. While challenges such as data sharing and sustainability remain, efforts are being made to build a more inclusive and comprehensive vulnerability management system through collaborative events and open initiatives.
30 Mar 2026 Open Source Security at scale with Michael Wisner
The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.
23 Mar 2026 2026 State of the Software Supply Chain with Brian Fox
The State of the Software Supply Chain Report underscores explosive open source growth (10T annual downloads) paired with critical challenges like malware proliferation (1.2M malicious packages), unresolved vulnerabilities (65% unaddressed), infrastructure strain, AI's dual role in risk (hallucinations) and potential (MCP systems), and urgent needs for improved tools, policies, and cost management amid regulatory and scalability pressures.
16 Mar 2026 MCP and Agent security with Luke Hinds
The text explores AI agent security risks like prompt injection and open-source vulnerabilities, emphasizing the No-NO project's kernel-based sandboxing with a deny-by-default model, hardware enclaves, and Rust-driven efficiency, alongside layered defenses, restricted commands, and collaborative efforts to tackle evolving threats like social engineering and insecure coding practices.
9 Mar 2026 The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer
OpenSSL 3.0 is criticized for increased complexity, performance issues, and insufficient progress in testing and memory safety, sparking debate over its adoption and the need for alternative cryptographic libraries.
2 Mar 2026 Rust coreutils with Sylvestre Ledru
A modern rewrite of Unix command-line tools using Rust aims for memory safety, performance, and maintainability while achieving high compatibility.