Frontier AI and the next phase of software vulnerability defence
As advanced AI lowers the cost of discovering and exploiting software vulnerabilities, Europe must treat open source security and rapid patch deployment as critical resilience infrastructure
Context. Frontier AI systems have crossed an important threshold for cybersecurity and software resilience. They are no longer limited to code completion, triage, or report writing; the most capable models can now assist with vulnerability discovery, exploitability analysis, and, increasingly, patch generation. Anthropic’s Project Glasswing, launched on April 7, 2026, put this shift in the public eye by giving selected critical software operators and maintainers early access to Claude Mythos Preview for defensive security work. Anthropic described Glasswing as an initiative to secure critical software with early access to frontier AI, involving major infrastructure, cloud, financial, and open source actors, and extending access to more than 40 organisations that build or maintain critical software infrastructure. Through our longstanding partnership with the Alpha Omega Project, the Eclipse Foundation has been part of the Glasswing Project since its inception, giving us direct experience with this emerging model of AI-assisted vulnerability discovery. To our knowledge, we are currently the only EU-domiciled organisation participating in the initiative, giving us a unique vantage point on how frontier AI capabilities are beginning to reshape software security and resilience.
Why this matters now. The capability jump appears not to be limited to one model, one vendor, or ecosystem. The UK AI Security Institute found that Claude Mythos Preview represented a step-change in cyber performance, including autonomous progress on multi-step attack simulations and high success on expert-level cyber tasks. Less than three weeks later, AISI reported that OpenAI GPT-5.5 reached a similar level of performance on its cyber evaluations and was the second model to complete one of AISI’s multi-step cyber-attack simulations end-to-end. Open-weight models are also narrowing the gap: CAISI’s May 2026 evaluation described DeepSeek V4 Pro as the most capable Chinese model it had evaluated across cyber, software engineering, science, reasoning, and mathematics, while still lagging the leading U.S. frontier by roughly eight months. The implication is that capabilities currently concentrated among a small number of frontier AI providers will quickly become cheaper, more widely available, and harder to govern. This makes early institutional experience with frontier defensive AI workflows strategically important.
The immediate risk: a vulnerability and patching imbalance. Critical infrastructure operators, including energy, transportation, water, health, public services, and financial services, are especially exposed because many run complex, legacy, opaque software estates where patching is slow, cautious, and operationally disruptive. This is not a hypothetical concern: the US Government’s GAO’s 2025 review of critical federal legacy systems found outdated languages, unsupported hardware or software, and known cybersecurity vulnerabilities in systems supporting missions such as critical infrastructure, tax processing, and national security. CISA similarly warns that outdated software is a gateway for threat actors in critical infrastructure contexts, including public-facing routers, VPNs, and firewalls used to reach operational systems. NCSC now expects a “vulnerability patch wave”: a rush of software updates across open source and commercial software stacks as AI accelerates discovery of long-standing technical debt.
The systemic threat. AI-assisted vulnerability discovery changes the economics of offense. It lowers the time, expertise, and cost needed to find flaws, validate exploitability, and turn known-but-unpatched vulnerabilities into working attacks. This is particularly dangerous where many institutions depend on the same software, libraries, cloud providers, identity systems, network appliances, or open source software components. For decades, many IT and operational technology environments have treated patching as an operational disruption to be minimized, especially when systems appear to be running correctly. In some cases, this caution is understandable: outages can have safety, economic, regulatory, and reputational consequences. But the balance of risk is changing. When AI can accelerate vulnerability discovery and exploitation, “stable but unpatched” systems can quickly become systematically exposed. Changing this culture and making rapid, well-tested patch deployment a core resilience function may be one of the hardest short-term challenges. The most serious concern is the possibility that threat actors will use AI to discover and exploit “zero day” vulnerabilities before patches are available. The IMF warned on May 7, 2026 that advanced AI models can reduce the time and cost of identifying and exploiting vulnerabilities, increasing the likelihood of correlated failures across widely used systems; it specifically identified financial intermediation, payments, and confidence as systemic risk channels. The same concern applies to cross-sector dependencies among finance, energy, telecommunications, public services, and digital infrastructure.
The Eclipse Foundation’s key finding. Our most important finding from the one-month experiment with Mythos was that operational workflows, validation pipelines, and human oversight matter at least as much as the model. Glasswing’s real significance is not simply that one frontier model found more vulnerabilities. It is that a community of security researchers can iteratively improve prompts, agentic harnesses, target selection methods, reproduction pipelines, and triage workflows, and then apply those methods across multiple market-available models, including cheaper and more widely accessible ones. Anthropic’s own technical write-up reinforces this point: its vulnerability work used agentic scaffolds, containers, target ranking, repeated runs, and validation methods rather than a bare chatbot prompt. NCSC likewise stresses that practical AI cyber capability comes from AI systems—models combined with tools, workflows, and human oversight—not from raw model capability alone.
The opportunity: shared defence capacity at machine speed. The same tools that raise offensive risk can strengthen defense if deployed first and responsibly. AI can continuously scan code and dependencies, generate fuzzing harnesses, prioritize findings by exploitability and exposure, propose patches, produce regression tests, summarize impact for maintainers, and accelerate coordinated vulnerability disclosure. NCSC identifies three high-value defensive uses: reducing attack surface through AI-enabled testing and hardening, improving detection and investigation, and automating mitigation and response where carefully governed. The strategic objective should be to convert AI-driven discovery into AI-assisted remediation faster than adversaries can convert discovery into exploitation. Organisations that are not using AI to strengthen threat detection, prevention, and mitigation risk being outpaced by AI-enabled attackers.
What Europe should do now. Europe should treat AI-enabled open source security as shared digital resilience infrastructure. That means investing in trusted vulnerability discovery, coordinated disclosure, maintainer support, patch validation, and deployment readiness across the software components that underpin critical services. No single vendor, foundation, institution, or member state can solve this alone; it requires an ecosystem response. Europe should also ensure that trusted public institutions and open source ecosystems remain directly involved in frontier AI cybersecurity evaluation and remediation efforts, rather than relying on commercial actors outside Europe.
Open source is not the problem; it is the solution. The risk does not come from open source. It comes from the fact that many organisations depend on software they do not fully understand, cannot fully inventory, and cannot patch quickly enough. Open source makes that dependency visible, auditable, and repairable. Open source governance structures may become increasingly important in AI-enabled remediation ecosystems because their transparency, global maintainer communities, reproducible builds, public issue tracking, coordinated disclosure practices, and shared security tooling make them uniquely capable of operating at ecosystem scale. CISA’s Open Source Software Security Roadmap explicitly recognizes OSS as a public good supported by diverse communities and calls for supporting critical OSS components relied on by government and critical infrastructure. Furthermore, AI is enabling increasingly sophisticated reverse engineering tools that can generate source code from proprietary binaries, making “security through obfuscation” an implausible strategy.
Conclusion. This is a global software resilience issue, with direct implications for Europe’s security, digital sovereignty, and strategic autonomy. Critical infrastructure and financial services everywhere rely on globally developed open source components, shared platforms, and common supply chains. Local champions will matter, but isolated national responses will not be sufficient. The priority is coordinated action: shared AI-enabled vulnerability discovery, trusted disclosure channels, maintainer support, rapid patch production, dependency intelligence, and deployment capacity across public and private sectors. Ultimately, resilience will depend not only on AI capability itself, but on trusted ecosystems capable of coordinating remediation rapidly across shared infrastructure. The Eclipse Foundation will work with public institutions, industry, and open source communities to help strengthen these shared resilience capabilities across the European software ecosystem. Ultimately, resilience will depend not only on AI capability itself, but on trusted ecosystems capable of coordinating remediation rapidly across shared infrastructure. Open source should be treated not as the weak link, but as the coordination layer through which Europe and its global partners can find, fix, validate, and deploy security improvements at the speed modern resilience now requires.
Join us in Brussels: Meet the OCX 2026 keynote speakers
As we approach Open Community Experience (OCX) 2026, taking place 21–23 April in Brussels, I’ve been reflecting on this year’s program and what it says about where our community is heading.
At its core, OCX is about bringing together the different communities that are supported by the Eclipse Foundation. That includes work happening across AI, mobility, developer tooling, embedded systems, security and compliance, and public policy & research. These areas are increasingly connected, and the people working in them are often tackling similar challenges from different angles. We often describe the Eclipse Foundation as a “community of communities,” and OCX is a reflection of that. It creates space for those communities to come together, compare notes, and learn from each other. Developers, policymarkers, business leaders, and other contributors to the open source ecosystem all have a role to play in those conversations.
This year, I will once again have the privilege of opening OCX with my “State of the union” keynote. I will share reflections on how open source is evolving, along with our strategic priorities as we navigate a landscape shaped by rapid advances in AI, increasing regulatory complexity, and growing expectations for secure and trustworthy software. It is a moment that calls for clarity of purpose and for collaboration at scale.
Of course, one of the highlights of OCX is always the keynote program, and this year we have assembled an exceptional group of speakers who bring a diverse and compelling set of perspectives.
Ruth Buscombe, a Formula 1 race strategist and F1TV analyst, will share insights drawn from one of the most demanding, data-driven environments in the world. Her experience translating complex data into real-time decisions offers a powerful parallel to open source communities, where transparency, coordination, and trust are essential to success. Her work advocating for diversity in STEM also serves as an important reminder that strong communities are built through inclusion. Get a snapshot of her keynote in this teaser video.
Nadia Aimé, Cybersecurity Cloud Solution Architect at Microsoft, will share a deeply personal perspective on navigating a career in technology amid constant change. As AI continues to reshape the industry and cybersecurity challenges grow more complex, Nadia’s story highlights the enduring importance of resilience, curiosity, and community. Her message is a timely reminder that while technologies shift, the human qualities that underpin meaningful contribution remain constant.
From SAP, Axel Uhl will explore how open source technologies enable innovation at scale. Drawing on SAP’s work in competitive sailing, his keynote will demonstrate how Eclipse Foundation technologies have been used to build sophisticated digital twins capable of modelling complex, real-world systems used in the Olympic Games. It is a compelling example of how open source can serve as both a foundation for experimentation and a driver of operational excellence.
We will also host a high-level panel discussion on the implementation of the Cyber Resilience Act (CRA). As the conversation shifts from policy to practice, this session will explore what it takes to turn regulatory ambition into effective, real-world outcomes. Bringing together leading voices from across the European ecosystem, this discussion will examine governance, standardisation, and market readiness, as well as the critical role open source must play in shaping a secure and innovative digital future.
And, as always, the keynotes are just one part of the experience. OCX 2026 will feature a rich program of technical sessions, hands-on workshops, and the kind of informal conversations where some of the most valuable ideas emerge.
What continues to make this event special is the people. It is the opportunity to reconnect with colleagues, meet new contributors, and take part in discussions that genuinely matter. There is a shared sense of purpose that comes from bringing so many perspectives together in one place, and it is something I look forward to every year.
I am very much looking forward to welcoming you to Brussels this April. OCX 2026 is an opportunity to learn from one another, strengthen our community, and continue shaping the future of open source together.
See you there!
What’s in store for open source in 2026?
As 2025 draws to a close, many of us find ourselves reflecting on a year of remarkable change and looking ahead to what lies beyond the horizon. The end of the year often brings a mix of reflection and anticipation, a time when the open source ecosystem pauses to take stock and to imagine what the next chapter might bring.
In that spirit, I’d like to share a few thoughts on the forces shaping open source as we head into 2026. The past year has seen emerging trends poised to influence not only the open source ecosystem but also the broader technology industry and the many sectors that depend on it. From governance and sustainability to the evolving role of open collaboration in driving innovation, the ripples we saw in 2025 are likely to become powerful waves in the year ahead.
Prediction 1: As Agentic AI deployments accelerate, many enterprises will shift away from proprietary pilot solutions toward open source AI tooling that helps them integrate agentic workflows with their existing applications and data.
The promise of agentic AI is unmistakable. What enterprises are struggling with is the move from controlled pilots to real production environments that must operate within the constraints of their current systems. Many proprietary agentic platforms remain optimized for “green field” use cases, making them poorly matched to the complex mix of legacy data assets and workloads that are prevalent in enterprise environments.
For agentic AI to deliver real enterprise value, it must operate within existing operational, reliability, and performance constraints. For example, an agentic system that can’t talk to Java systems – the lingua franca of enterprise computing – is effectively cut off from the most critical operational data, workflows, and decision-making contexts. Forcing enterprises to adopt a parallel, Python-based infrastructure in order to deploy AI systems will delay adoption and significantly increase security, performance, and scalability risk.
Open source tooling will play an increasingly important role in solving these challenges. Eclipse LMOS and its Agent Definition Language (ADL) provide one model-neutral option for defining agent behaviour in a structured and maintainable way. LMOS is already in production at Deutsche Telekom, powering an award-winning bot and consumer-facing AI system that processes millions of service and sales interactions across several countries. At the same time, enterprises will have multiple viable open source choices that fit different architectural and operational needs.
Another highly visible growth area in 2026 will be AI-enabled developer tooling. The launch of the Eclipse Theia AI IDE shows how open collaboration can deliver powerful AI development environments without locking teams into proprietary toolchains. The Theia platform allows organisations to choose their preferred LLMs, integrate contextual data through MCP, and build agentic workflows that align with internal security and compliance requirements. For many enterprises, this flexibility will be essential as AI-assisted development becomes part of everyday engineering practice.
Complementary work on projects like Eclipse Adoptium will continue to strengthen the foundation on which AI systems depend. Verified builds, signed binaries, and rigorous QA increase confidence that AI-enabled enterprise applications can be deployed with traceability and accountability.
Jakarta Agentic AI will also begin defining standard patterns for agentic workflows in enterprise Java, giving organisations predictable and interoperable ways to bring agentic capabilities into mission-critical systems.
Prediction 2: Digital sovereignty will quickly rise in strategic importance for nation-states, and open standards will prove critical in making it achievable.
Over the past two decades, extraordinary advances in technology have reshaped global economics and trade. They have enabled entirely new markets, transformed industries, and created business models that were previously unimaginable. As digital infrastructure now underpins nearly every aspect of national competitiveness, governments across the globe are realising how their use of technology affects strategic autonomy, resilience, and digital sovereignty. Questions of who controls critical data, how it is shared, and where it is processed are now central to national policy and economic strategy.
As these pressures grow, open standards will become essential to the path forward. They provide a neutral foundation that allows organisations and nations to build digital capabilities without being locked into proprietary ecosystems or single-vendor dependencies. In 2026, this will matter more than ever. The Eclipse Foundation and the Eclipse Dataspace Working Group (EDWG) recently released two key protocol specifications, which are under review for international standardisation through the ISO/IEC JTC1 Publicly Available Specification (PAS) process. These new protocols represent a significant advancement in enabling open, interoperable, and sovereign dataspaces. They enable organisations, industries, and nations to share data securely while retaining full control over their information. Dataspaces also enable data owners to clearly outline the terms under which their data can be used to train AIs, accelerating the move toward ethical AI systems.
This work shows how open collaboration and open standards will serve as the foundation for trust, interoperability, and sovereignty in the global data economy.
Prediction 3: 2026 will lay the groundwork for the next era of open source silicon
Next year is a pivotal time for open source hardware as the immense efforts of academia gain traction in real-world applications. In 2026 and beyond, we’ll see open source hardware play an increasingly important role in academic and early-stage commercial products. New configurations of RISC-V CVA6 and CV-Wally cores will be especially influential in this early wave of adoption.
Research and innovation efforts will accelerate progress. European projects backed by the Chips JU, such as TRISTAN and Rigoletto, and projects including CHERIoT, will further strengthen the ecosystem by bringing academia and industry together for collaborative semiconductor R&D.
With major adopters and contributors such as Thales already demonstrating the benefits of building on open hardware, 2026 will mark a shift in how organisations approach hardware design and maintenance. More companies will explore open source silicon options. According to research firm Omdia, RISC-V processors are on track to account for almost a quarter of the global market by 2030, signalling that this shift is already well underway.
Prediction 4: 2026 will trigger alarm over the CRA as companies around the world realise they are behind on compliance.
The EU Cyber Resilience Act is the world’s first horizontal cybersecurity regulation, mandating secure-by-design and supply-chain security best practices. It comes with potential fines of up to €15 million or 2.5% of a company’s global annual turnover. In 2026, it will become impossible to ignore. As the deadline approaches, many organisations will scramble to understand and meet the CRA’s requirements, resulting in widespread urgency across global markets.
Beginning September 11, 2026, the CRA mandatory vulnerability reporting requirements take effect, and every manufacturer selling products in Europe will be required to comply. Yet awareness remains alarmingly low, with just 12.3% of SMEs being aware of the CRA compared to 83.5% of very large enterprises. The gap between expectations and preparedness will become painfully clear.
There is, however, a silver lining. As compliance pressures increase, policymakers could emerge as the greatest champions of open source sustainability. The CRA explicitly places security responsibility on manufacturers and not on maintainers of open source projects, which could provide long-overdue clarity and support for the open source ecosystem.
Initiatives like Open Regulatory Compliance (ORC) will help technology companies coordinate their CRA readiness, reducing duplicative efforts, mitigating risks, and protecting innovation. By working together on shared compliance frameworks, organisations can meet regulatory expectations while continuing to advance open source development.
Prediction 5: 2026 will be the year the industry reinvests in open source infrastructure.
The global software ecosystem runs on open source infrastructure, yet for years, many global enterprises have relied on it without meaningfully contributing back. In September, I, along with many other open source stewards, called for greater support from businesses that benefit most to take a larger role in sustaining this critical infrastructure. Encouragingly, that call is already being answered.
One example is Amazon’s recent support for the Eclipse Foundation. This commitment strengthens multiple core services, including the Open VSX Registry, the vendor-neutral extension registry for the Visual Studio Code ecosystem that powers many AI-enabled development environments.
The Open VSX Registry is now one of the fastest-growing package registries in the world. It serves as the default registry for several leading AI developer tools, including Amazon’s Kiro, Cursor, Google Antigravity, Windsurf, IBM’s Project Bob, and others. In 2025, it averaged more than 110 million downloads each month. It now hosts more than 7,000 extensions from nearly 5,000 publishers. With strong enterprise engagement and open governance, the registry is becoming a central distribution hub for the next generation of AI software development tooling.
In 2026, we will also see open infrastructure providers, including the Eclipse Foundation, explore new ways to align funding with commercial and enterprise usage while maintaining openness for general and individual use. Each ecosystem will take its own path, and some experimentation will be needed to achieve the right balance, but the direction is clear. These efforts will strengthen open infrastructure and help ensure that essential shared services remain reliable and sustainable for everyone who relies on them.
AWS invests in strengthening open source infrastructure at the Eclipse Foundation
In our recent open letter and blog post on sustainable stewardship of open source infrastructure, we called on the industry to take a more active role in supporting the systems and services that drive today’s software innovation. Today, we’re excited to share a powerful example of what that kind of leadership looks like in action.
The Eclipse Foundation is pleased to announce that Amazon Web Services (AWS) has made a significant investment to strengthen the reliability, performance, and security of the open infrastructure that supports millions of developers around the world. This commitment will benefit multiple core services, including Open VSX Registry, the open source registry for Visual Studio Code extensions that powers AI-enabled development environments such as Kiro and other leading tools.
Sustaining the backbone of open source innovation
For more than two decades, the Eclipse Foundation has quietly maintained open infrastructure that forms the foundation of modern software creation for millions of software developers worldwide. Its privately hosted systems deliver more than 500 million downloads each month across services such as download.eclipse.org, the Eclipse Marketplace, and Open VSX. These platforms serve as the backbone for individuals, organisations, and communities that rely on open collaboration to build the technologies of the future.
AWS’s investment will help improve performance, reliability, and security across this infrastructure. The collaboration reflects a shared commitment to keeping open source systems resilient, transparent, and sustainable at global scale.
Open VSX: a model for sustainable open infrastructure
Open VSX is a vendor-neutral, open source (EPL-2.0) registry for Visual Studio Code extensions. It serves as the default registry for Kiro, Amazon’s AI IDE platform, and is relied upon by a growing global community of developers. The registry now hosts over 7,000 extensions from nearly 5,000 publishers and delivers in excess of 110 million downloads per month. As a leading registry serving developer communities worldwide, including JavaScript and AI development communities, Open VSX has become a vital piece of open source infrastructure that supports thousands of development teams worldwide.
By supporting Open VSX, AWS is helping to strengthen the foundations of this essential service and reinforcing the Eclipse Foundation’s ability to provide secure, reliable, and globally accessible infrastructure. Their contribution reflects the importance of collective investment in maintaining the resilience, openness, and security of the tools developers use every day.
This sponsorship highlights the shared responsibility that all organisations have in sustaining the technologies they depend on. It also sets a strong example of how industry leaders can contribute to ensuring that the services we all rely on remain trustworthy, scalable, and sustainable for the future.
Improving reliability, security, and trust
The AWS investment is helping strengthen security, ensuring fair access, and improving long-term service reliability. Ongoing work focuses on enhancing malware detection, improving traffic management, and expanding operational monitoring to ensure a stable and trusted experience for developers around the world.
As part of this collaboration, AWS is providing infrastructure and services that will improve availability, performance, and scalability across these systems. This support will accelerate key roadmap initiatives and help ensure that the platforms developers rely on remain secure, scalable, and trustworthy well into the future.
A shared commitment to open source sustainability
AWS’s contribution demonstrates how industry leaders can make strategic investments in sustaining the shared infrastructure their businesses depend on every day. By investing in the services that support open source development, AWS is helping to ensure that critical technologies remain open, reliable, and accessible to everyone.
The Eclipse Foundation continues to serve as an independent steward of open source infrastructure, maintaining the tools and systems that enable software innovation across industries. Together with supporters like AWS, we are building a stronger foundation for the future of open collaboration.
But this is only the beginning. The long-term health of open source infrastructure depends on collective action and shared responsibility. We encourage other organisations to follow AWS’s example and take an active role in sustaining the technologies that make modern development possible.
Learn how your organisation can make a difference through Eclipse Foundation membership or direct sponsorship opportunities. The future of open innovation depends on all of us; and together, we can keep it strong, secure, and sustainable.
Businesses built on open infrastructure have a responsibility to sustain it
The global software ecosystem runs on open source infrastructure. As demand grows, we invite the businesses who rely on it most to play a larger role in sustaining it.
Open source infrastructure is the backbone of the global digital economy. From registries to runtimes, open source underpins the tools, frameworks, and platforms that developers and enterprises rely on every day. Yet as demand for these systems grows, so too does the urgency for those who depend on them most to play a larger role in sustaining their future.
Today, the Eclipse Foundation, alongside Alpha-Omega, OpenJS Foundation, Open SSF, Packagist (Composer), the Python Software Foundation (PyPI), the Rust Foundation (crates.io), and Sonatype (Maven Central), released a joint open letter urging greater investment and support for open infrastructure. The letter calls on those who benefit most from these critical digital resources to take meaningful steps toward ensuring their long-term sustainability and responsible stewardship.
The scale of open source’s impact cannot be overstated: A 2024 Harvard study, The Value of Open Source Software, estimated that the supply-side value of widely used OSS is estimated to top $4.15 billion, while the demand-side value reached $8.8 trillion. Even more striking, 96% of that value came from the work of just 5% of OSS developers. The authors of the study estimate that without open source, organisations would need to spend more than 3.5 times their current software budgets to replicate the same capabilities.
This open ecosystem now powers much of the software industry worldwide, a sector worth trillions of dollars. Yet the investment required to sustain its underlying infrastructure has not kept pace. Running enterprise-grade infrastructure that provides zero downtime, continuous monitoring, traceability, and secure global distribution carries very real costs. The rapid rise of generative and agentic AI has only added to the strain, driving massive new workloads, many of them automated and inefficient.
The message is clear: with meaningful financial support and collaboration from industry, we can secure the long-term strength of the open infrastructure you rely on. Without that shared commitment, these vital resources are at risk.
Open VSX: Critical infrastructure worth investing in
The Eclipse Foundation stewards Open VSX, the world’s largest open source registry for VS Code extensions. Originally created to support Eclipse Foundation projects, it has grown into essential infrastructure for enterprises, serving millions of developers. Today it is the default marketplace for many VS Code forks and cloud environments, and as AI-native development and platform engineering accelerate, Open VSX is emerging as a backbone of extension infrastructure used by AI-driven development tools.
Open VSX currently handles over 100 million downloads each month, a nearly 4x increase since early 2024. This rapid growth underscores the accelerating demand across the ecosystem. Innovative, high-growth companies like Cursor, Windsurf, StackBlitz, and GitPod (now Ona), are just a few of the many organisations building on and benefiting from Open VSX. It is enterprise-class infrastructure that requires significant investment in security, staffing, maintenance, and operations.
Yet there is a clear imbalance between consumption and contribution.
Since its launch in September 2022:
- Over 3,000 issues have been submitted by more than 2,500 individuals
- Around 1,200 pull requests have been submitted, but only by 43 contributors
In a global ecosystem with tens of thousands of users, fewer than 50 people are doing the work to keep things running and improving. That gap between use and support is difficult to maintain over the long term.
A proven model for sustainability
The Eclipse Foundation also stewards Eclipse Temurin, the open source Java runtime provided by the Adoptium Working Group. With more than 700 million downloads and counting, Temurin has become a cornerstone of the Java ecosystem, offering enterprises a cost-effective, production-grade option.
To help maintain that momentum, the Adoptium Working Group launched the Eclipse Temurin Sustainer Program, designed to encourage reinvestment in the project and support faster releases, stronger security, and improved test infrastructure. The new Temurin ROI calculator shows that enterprises can save an average of $1.6 million annually by switching to open source Java.
Together, Open VSX and Temurin demonstrate what is possible when there is shared investment in critical open source infrastructure. But the current model of unlimited, no-cost use cannot continue indefinitely. The shared goal must be to create a sustainable and scalable model in which commercial consumers of these services provide the primary financial support. At the same time, it is essential to preserve free access for open source users, including individual developers, maintainers, and academic institutions.
We encourage all adopters and enterprises to get involved:
- Contribute to the code: Review issues, submit patches, and help evolve the projects in the open under Eclipse Foundation governance.
- Sustain what you use: Support hosting, testing, and security through membership, sponsorship, or other financial contributions, collaborating with peers to keep essential open infrastructure strong.
Investing now helps ensure the systems you depend on remain resilient, secure, and accessible for everyone.
Looking ahead
The growth of Open VSX and Eclipse Temurin underscores their value and importance. They have become cornerstones of modern development, serving a global community and fueling innovation across industries. But growth must be matched with sustainability. Because those who benefit most have not always stepped up to support these projects, we are implementing measures such as rate limiting. This is not about restricting access. It is about keeping the doors open in a way that is fair and responsible.
We are at a turning point. The future of open source infrastructure depends on more than goodwill. I remain optimistic that we can meet this challenge. By working together, industry and the open source community can ensure that these vital systems remain reliable, resilient, and accessible to all. I invite you to join us in honouring the spirit of open source by aligning responsibility with usage and helping to build a sustainable future for shared digital infrastructure.
Life at Eclipse 