Open-source attacks expose supply-chain accountability gaps
The hard part is assigning responsibility for code everybody uses, nobody owns, and procurement still treats as somebody else’s evidence problem.
TL;DR
CyberScoop reports that open-source software attacks are rising as experts question how much government can do without heavier vendor accountability. Former CISA open-source security staffers described years of underinvestment and setbacks under President Donald Trump, while Project Glasswing said it found 6,202 high- or critical-severity vulnerabilities across more than 1,000 projects. Federal buyers, software suppliers and maintainers all feel the risk; only one of those groups usually gets a contract clause.
CyberScoop’s piece lands on the uncomfortable part of open-source security: the federal government can publish frameworks, convene summits and ask for software bills of materials, but it cannot magically create maintainers, disclosure desks or patch capacity for the code base that everyone quietly imported years ago. The reported Project Glasswing numbers are the useful stress test: 6,202 high- or critical-severity findings across more than 1,000 projects, 502 disclosed to maintainers and 75 patched by May 22. Some lag is ordinary vulnerability management. The ratio still tells buyers that discovery is no longer the bottleneck.
The government side is not empty-handed. CISA has treated open source as part of critical infrastructure risk, saying open-source software is widely used across the federal government and every critical infrastructure sector, and its roadmap sets goals for visibility into open-source use and risk prioritization (https://www.cisa.gov/opensource). NIST’s Secure Software Development Framework gives agencies and suppliers a common vocabulary for secure development and acquisition expectations under Executive Order 14028 (https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-supply-chain-security-guidance-16). CISA’s 2024 software acquisition guide also puts the transparency problem plainly: acquisition staff often lack enough supplier detail to assess development and third-party management practices (https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf).
That is the policy gap CyberScoop is describing. Open source is not a single vendor with a security office and a Federal Acquisition Regulation certification queue. It is volunteer maintainers, thinly funded foundations, commercial redistributors, cloud platforms, integrators and federal buyers, all touching the same dependency tree with different incentives. If the next move is just more attestation language, the people least able to absorb it will get more reports, and the companies monetizing the stack will keep calling it community risk.
Published ·Deep Fathom