Kyle Kelly
Fewer than 500 of npm's top 10,000 most downloaded packages have one or more disclosed vulnerabilities, which is not surprising considering that the ratio of open source packages to known vulnerabilities is less than 0.5%. In this talk, we will discuss why current OSS vulnerability discovery efforts are falling short, addressing common mistakes made by open source maintainers, the challenges of scaled security scanning, and the shortcomings of today’s open source bug bounty programs. To conclude, I'll propose a transition from crowdsourced bug hunting to crowdsourced triaging, emphasizing how often repository issues, OSS-Fuzz crash reports, and similar findings go untriaged, despite being publicly available and there potential to reveal (undisclosed) critical security risks.
Kyle Kelly
Engineering Manager, GitHub
Kyle Kelly is the Manager of GitHub’s Package Security Team and the author of the CramHacks newsletter. He is passionate about leveraging his security expertise to address software supply chain security challenges, particularly in regard to open-source software. Before committing to software supply chain security, Kyle led a team of penetration testers specializing in hacking financial institutions.