Posts Tagged ‘Open Source’
Frontier AI and the next phase of software vulnerability defence
As advanced AI lowers the cost of discovering and exploiting software vulnerabilities, Europe must treat open source security and rapid patch deployment as critical resilience infrastructure
Context. Frontier AI systems have crossed an important threshold for cybersecurity and software resilience. They are no longer limited to code completion, triage, or report writing; the most capable models can now assist with vulnerability discovery, exploitability analysis, and, increasingly, patch generation. Anthropic’s Project Glasswing, launched on April 7, 2026, put this shift in the public eye by giving selected critical software operators and maintainers early access to Claude Mythos Preview for defensive security work. Anthropic described Glasswing as an initiative to secure critical software with early access to frontier AI, involving major infrastructure, cloud, financial, and open source actors, and extending access to more than 40 organisations that build or maintain critical software infrastructure. Through our longstanding partnership with the Alpha Omega Project, the Eclipse Foundation has been part of the Glasswing Project since its inception, giving us direct experience with this emerging model of AI-assisted vulnerability discovery. To our knowledge, we are currently the only EU-domiciled organisation participating in the initiative, giving us a unique vantage point on how frontier AI capabilities are beginning to reshape software security and resilience.
Why this matters now. The capability jump appears not to be limited to one model, one vendor, or ecosystem. The UK AI Security Institute found that Claude Mythos Preview represented a step-change in cyber performance, including autonomous progress on multi-step attack simulations and high success on expert-level cyber tasks. Less than three weeks later, AISI reported that OpenAI GPT-5.5 reached a similar level of performance on its cyber evaluations and was the second model to complete one of AISI’s multi-step cyber-attack simulations end-to-end. Open-weight models are also narrowing the gap: CAISI’s May 2026 evaluation described DeepSeek V4 Pro as the most capable Chinese model it had evaluated across cyber, software engineering, science, reasoning, and mathematics, while still lagging the leading U.S. frontier by roughly eight months. The implication is that capabilities currently concentrated among a small number of frontier AI providers will quickly become cheaper, more widely available, and harder to govern. This makes early institutional experience with frontier defensive AI workflows strategically important.
The immediate risk: a vulnerability and patching imbalance. Critical infrastructure operators, including energy, transportation, water, health, public services, and financial services, are especially exposed because many run complex, legacy, opaque software estates where patching is slow, cautious, and operationally disruptive. This is not a hypothetical concern: the US Government’s GAO’s 2025 review of critical federal legacy systems found outdated languages, unsupported hardware or software, and known cybersecurity vulnerabilities in systems supporting missions such as critical infrastructure, tax processing, and national security. CISA similarly warns that outdated software is a gateway for threat actors in critical infrastructure contexts, including public-facing routers, VPNs, and firewalls used to reach operational systems. NCSC now expects a “vulnerability patch wave”: a rush of software updates across open source and commercial software stacks as AI accelerates discovery of long-standing technical debt.
The systemic threat. AI-assisted vulnerability discovery changes the economics of offense. It lowers the time, expertise, and cost needed to find flaws, validate exploitability, and turn known-but-unpatched vulnerabilities into working attacks. This is particularly dangerous where many institutions depend on the same software, libraries, cloud providers, identity systems, network appliances, or open source software components. For decades, many IT and operational technology environments have treated patching as an operational disruption to be minimized, especially when systems appear to be running correctly. In some cases, this caution is understandable: outages can have safety, economic, regulatory, and reputational consequences. But the balance of risk is changing. When AI can accelerate vulnerability discovery and exploitation, “stable but unpatched” systems can quickly become systematically exposed. Changing this culture and making rapid, well-tested patch deployment a core resilience function may be one of the hardest short-term challenges. The most serious concern is the possibility that threat actors will use AI to discover and exploit “zero day” vulnerabilities before patches are available. The IMF warned on May 7, 2026 that advanced AI models can reduce the time and cost of identifying and exploiting vulnerabilities, increasing the likelihood of correlated failures across widely used systems; it specifically identified financial intermediation, payments, and confidence as systemic risk channels. The same concern applies to cross-sector dependencies among finance, energy, telecommunications, public services, and digital infrastructure.
The Eclipse Foundation’s key finding. Our most important finding from the one-month experiment with Mythos was that operational workflows, validation pipelines, and human oversight matter at least as much as the model. Glasswing’s real significance is not simply that one frontier model found more vulnerabilities. It is that a community of security researchers can iteratively improve prompts, agentic harnesses, target selection methods, reproduction pipelines, and triage workflows, and then apply those methods across multiple market-available models, including cheaper and more widely accessible ones. Anthropic’s own technical write-up reinforces this point: its vulnerability work used agentic scaffolds, containers, target ranking, repeated runs, and validation methods rather than a bare chatbot prompt. NCSC likewise stresses that practical AI cyber capability comes from AI systems—models combined with tools, workflows, and human oversight—not from raw model capability alone.
The opportunity: shared defence capacity at machine speed. The same tools that raise offensive risk can strengthen defense if deployed first and responsibly. AI can continuously scan code and dependencies, generate fuzzing harnesses, prioritize findings by exploitability and exposure, propose patches, produce regression tests, summarize impact for maintainers, and accelerate coordinated vulnerability disclosure. NCSC identifies three high-value defensive uses: reducing attack surface through AI-enabled testing and hardening, improving detection and investigation, and automating mitigation and response where carefully governed. The strategic objective should be to convert AI-driven discovery into AI-assisted remediation faster than adversaries can convert discovery into exploitation. Organisations that are not using AI to strengthen threat detection, prevention, and mitigation risk being outpaced by AI-enabled attackers.
What Europe should do now. Europe should treat AI-enabled open source security as shared digital resilience infrastructure. That means investing in trusted vulnerability discovery, coordinated disclosure, maintainer support, patch validation, and deployment readiness across the software components that underpin critical services. No single vendor, foundation, institution, or member state can solve this alone; it requires an ecosystem response. Europe should also ensure that trusted public institutions and open source ecosystems remain directly involved in frontier AI cybersecurity evaluation and remediation efforts, rather than relying on commercial actors outside Europe.
Open source is not the problem; it is the solution. The risk does not come from open source. It comes from the fact that many organisations depend on software they do not fully understand, cannot fully inventory, and cannot patch quickly enough. Open source makes that dependency visible, auditable, and repairable. Open source governance structures may become increasingly important in AI-enabled remediation ecosystems because their transparency, global maintainer communities, reproducible builds, public issue tracking, coordinated disclosure practices, and shared security tooling make them uniquely capable of operating at ecosystem scale. CISA’s Open Source Software Security Roadmap explicitly recognizes OSS as a public good supported by diverse communities and calls for supporting critical OSS components relied on by government and critical infrastructure. Furthermore, AI is enabling increasingly sophisticated reverse engineering tools that can generate source code from proprietary binaries, making “security through obfuscation” an implausible strategy.
Conclusion. This is a global software resilience issue, with direct implications for Europe’s security, digital sovereignty, and strategic autonomy. Critical infrastructure and financial services everywhere rely on globally developed open source components, shared platforms, and common supply chains. Local champions will matter, but isolated national responses will not be sufficient. The priority is coordinated action: shared AI-enabled vulnerability discovery, trusted disclosure channels, maintainer support, rapid patch production, dependency intelligence, and deployment capacity across public and private sectors. Ultimately, resilience will depend not only on AI capability itself, but on trusted ecosystems capable of coordinating remediation rapidly across shared infrastructure. The Eclipse Foundation will work with public institutions, industry, and open source communities to help strengthen these shared resilience capabilities across the European software ecosystem. Ultimately, resilience will depend not only on AI capability itself, but on trusted ecosystems capable of coordinating remediation rapidly across shared infrastructure. Open source should be treated not as the weak link, but as the coordination layer through which Europe and its global partners can find, fix, validate, and deploy security improvements at the speed modern resilience now requires.
Join us in Brussels: Meet the OCX 2026 keynote speakers
As we approach Open Community Experience (OCX) 2026, taking place 21–23 April in Brussels, I’ve been reflecting on this year’s program and what it says about where our community is heading.
At its core, OCX is about bringing together the different communities that are supported by the Eclipse Foundation. That includes work happening across AI, mobility, developer tooling, embedded systems, security and compliance, and public policy & research. These areas are increasingly connected, and the people working in them are often tackling similar challenges from different angles. We often describe the Eclipse Foundation as a “community of communities,” and OCX is a reflection of that. It creates space for those communities to come together, compare notes, and learn from each other. Developers, policymarkers, business leaders, and other contributors to the open source ecosystem all have a role to play in those conversations.
This year, I will once again have the privilege of opening OCX with my “State of the union” keynote. I will share reflections on how open source is evolving, along with our strategic priorities as we navigate a landscape shaped by rapid advances in AI, increasing regulatory complexity, and growing expectations for secure and trustworthy software. It is a moment that calls for clarity of purpose and for collaboration at scale.
Of course, one of the highlights of OCX is always the keynote program, and this year we have assembled an exceptional group of speakers who bring a diverse and compelling set of perspectives.
Ruth Buscombe, a Formula 1 race strategist and F1TV analyst, will share insights drawn from one of the most demanding, data-driven environments in the world. Her experience translating complex data into real-time decisions offers a powerful parallel to open source communities, where transparency, coordination, and trust are essential to success. Her work advocating for diversity in STEM also serves as an important reminder that strong communities are built through inclusion. Get a snapshot of her keynote in this teaser video.
Nadia Aimé, Cybersecurity Cloud Solution Architect at Microsoft, will share a deeply personal perspective on navigating a career in technology amid constant change. As AI continues to reshape the industry and cybersecurity challenges grow more complex, Nadia’s story highlights the enduring importance of resilience, curiosity, and community. Her message is a timely reminder that while technologies shift, the human qualities that underpin meaningful contribution remain constant.
From SAP, Axel Uhl will explore how open source technologies enable innovation at scale. Drawing on SAP’s work in competitive sailing, his keynote will demonstrate how Eclipse Foundation technologies have been used to build sophisticated digital twins capable of modelling complex, real-world systems used in the Olympic Games. It is a compelling example of how open source can serve as both a foundation for experimentation and a driver of operational excellence.
We will also host a high-level panel discussion on the implementation of the Cyber Resilience Act (CRA). As the conversation shifts from policy to practice, this session will explore what it takes to turn regulatory ambition into effective, real-world outcomes. Bringing together leading voices from across the European ecosystem, this discussion will examine governance, standardisation, and market readiness, as well as the critical role open source must play in shaping a secure and innovative digital future.
And, as always, the keynotes are just one part of the experience. OCX 2026 will feature a rich program of technical sessions, hands-on workshops, and the kind of informal conversations where some of the most valuable ideas emerge.
What continues to make this event special is the people. It is the opportunity to reconnect with colleagues, meet new contributors, and take part in discussions that genuinely matter. There is a shared sense of purpose that comes from bringing so many perspectives together in one place, and it is something I look forward to every year.
I am very much looking forward to welcoming you to Brussels this April. OCX 2026 is an opportunity to learn from one another, strengthen our community, and continue shaping the future of open source together.
See you there!
AWS invests in strengthening open source infrastructure at the Eclipse Foundation
In our recent open letter and blog post on sustainable stewardship of open source infrastructure, we called on the industry to take a more active role in supporting the systems and services that drive today’s software innovation. Today, we’re excited to share a powerful example of what that kind of leadership looks like in action.
The Eclipse Foundation is pleased to announce that Amazon Web Services (AWS) has made a significant investment to strengthen the reliability, performance, and security of the open infrastructure that supports millions of developers around the world. This commitment will benefit multiple core services, including Open VSX Registry, the open source registry for Visual Studio Code extensions that powers AI-enabled development environments such as Kiro and other leading tools.
Sustaining the backbone of open source innovation
For more than two decades, the Eclipse Foundation has quietly maintained open infrastructure that forms the foundation of modern software creation for millions of software developers worldwide. Its privately hosted systems deliver more than 500 million downloads each month across services such as download.eclipse.org, the Eclipse Marketplace, and Open VSX. These platforms serve as the backbone for individuals, organisations, and communities that rely on open collaboration to build the technologies of the future.
AWS’s investment will help improve performance, reliability, and security across this infrastructure. The collaboration reflects a shared commitment to keeping open source systems resilient, transparent, and sustainable at global scale.
Open VSX: a model for sustainable open infrastructure
Open VSX is a vendor-neutral, open source (EPL-2.0) registry for Visual Studio Code extensions. It serves as the default registry for Kiro, Amazon’s AI IDE platform, and is relied upon by a growing global community of developers. The registry now hosts over 7,000 extensions from nearly 5,000 publishers and delivers in excess of 110 million downloads per month. As a leading registry serving developer communities worldwide, including JavaScript and AI development communities, Open VSX has become a vital piece of open source infrastructure that supports thousands of development teams worldwide.
By supporting Open VSX, AWS is helping to strengthen the foundations of this essential service and reinforcing the Eclipse Foundation’s ability to provide secure, reliable, and globally accessible infrastructure. Their contribution reflects the importance of collective investment in maintaining the resilience, openness, and security of the tools developers use every day.
This sponsorship highlights the shared responsibility that all organisations have in sustaining the technologies they depend on. It also sets a strong example of how industry leaders can contribute to ensuring that the services we all rely on remain trustworthy, scalable, and sustainable for the future.
Improving reliability, security, and trust
The AWS investment is helping strengthen security, ensuring fair access, and improving long-term service reliability. Ongoing work focuses on enhancing malware detection, improving traffic management, and expanding operational monitoring to ensure a stable and trusted experience for developers around the world.
As part of this collaboration, AWS is providing infrastructure and services that will improve availability, performance, and scalability across these systems. This support will accelerate key roadmap initiatives and help ensure that the platforms developers rely on remain secure, scalable, and trustworthy well into the future.
A shared commitment to open source sustainability
AWS’s contribution demonstrates how industry leaders can make strategic investments in sustaining the shared infrastructure their businesses depend on every day. By investing in the services that support open source development, AWS is helping to ensure that critical technologies remain open, reliable, and accessible to everyone.
The Eclipse Foundation continues to serve as an independent steward of open source infrastructure, maintaining the tools and systems that enable software innovation across industries. Together with supporters like AWS, we are building a stronger foundation for the future of open collaboration.
But this is only the beginning. The long-term health of open source infrastructure depends on collective action and shared responsibility. We encourage other organisations to follow AWS’s example and take an active role in sustaining the technologies that make modern development possible.
Learn how your organisation can make a difference through Eclipse Foundation membership or direct sponsorship opportunities. The future of open innovation depends on all of us; and together, we can keep it strong, secure, and sustainable.
Businesses built on open infrastructure have a responsibility to sustain it
The global software ecosystem runs on open source infrastructure. As demand grows, we invite the businesses who rely on it most to play a larger role in sustaining it.
Open source infrastructure is the backbone of the global digital economy. From registries to runtimes, open source underpins the tools, frameworks, and platforms that developers and enterprises rely on every day. Yet as demand for these systems grows, so too does the urgency for those who depend on them most to play a larger role in sustaining their future.
Today, the Eclipse Foundation, alongside Alpha-Omega, OpenJS Foundation, Open SSF, Packagist (Composer), the Python Software Foundation (PyPI), the Rust Foundation (crates.io), and Sonatype (Maven Central), released a joint open letter urging greater investment and support for open infrastructure. The letter calls on those who benefit most from these critical digital resources to take meaningful steps toward ensuring their long-term sustainability and responsible stewardship.
The scale of open source’s impact cannot be overstated: A 2024 Harvard study, The Value of Open Source Software, estimated that the supply-side value of widely used OSS is estimated to top $4.15 billion, while the demand-side value reached $8.8 trillion. Even more striking, 96% of that value came from the work of just 5% of OSS developers. The authors of the study estimate that without open source, organisations would need to spend more than 3.5 times their current software budgets to replicate the same capabilities.
This open ecosystem now powers much of the software industry worldwide, a sector worth trillions of dollars. Yet the investment required to sustain its underlying infrastructure has not kept pace. Running enterprise-grade infrastructure that provides zero downtime, continuous monitoring, traceability, and secure global distribution carries very real costs. The rapid rise of generative and agentic AI has only added to the strain, driving massive new workloads, many of them automated and inefficient.
The message is clear: with meaningful financial support and collaboration from industry, we can secure the long-term strength of the open infrastructure you rely on. Without that shared commitment, these vital resources are at risk.
Open VSX: Critical infrastructure worth investing in
The Eclipse Foundation stewards Open VSX, the world’s largest open source registry for VS Code extensions. Originally created to support Eclipse Foundation projects, it has grown into essential infrastructure for enterprises, serving millions of developers. Today it is the default marketplace for many VS Code forks and cloud environments, and as AI-native development and platform engineering accelerate, Open VSX is emerging as a backbone of extension infrastructure used by AI-driven development tools.
Open VSX currently handles over 100 million downloads each month, a nearly 4x increase since early 2024. This rapid growth underscores the accelerating demand across the ecosystem. Innovative, high-growth companies like Cursor, Windsurf, StackBlitz, and GitPod (now Ona), are just a few of the many organisations building on and benefiting from Open VSX. It is enterprise-class infrastructure that requires significant investment in security, staffing, maintenance, and operations.
Yet there is a clear imbalance between consumption and contribution.
Since its launch in September 2022:
- Over 3,000 issues have been submitted by more than 2,500 individuals
- Around 1,200 pull requests have been submitted, but only by 43 contributors
In a global ecosystem with tens of thousands of users, fewer than 50 people are doing the work to keep things running and improving. That gap between use and support is difficult to maintain over the long term.
A proven model for sustainability
The Eclipse Foundation also stewards Eclipse Temurin, the open source Java runtime provided by the Adoptium Working Group. With more than 700 million downloads and counting, Temurin has become a cornerstone of the Java ecosystem, offering enterprises a cost-effective, production-grade option.
To help maintain that momentum, the Adoptium Working Group launched the Eclipse Temurin Sustainer Program, designed to encourage reinvestment in the project and support faster releases, stronger security, and improved test infrastructure. The new Temurin ROI calculator shows that enterprises can save an average of $1.6 million annually by switching to open source Java.
Together, Open VSX and Temurin demonstrate what is possible when there is shared investment in critical open source infrastructure. But the current model of unlimited, no-cost use cannot continue indefinitely. The shared goal must be to create a sustainable and scalable model in which commercial consumers of these services provide the primary financial support. At the same time, it is essential to preserve free access for open source users, including individual developers, maintainers, and academic institutions.
We encourage all adopters and enterprises to get involved:
- Contribute to the code: Review issues, submit patches, and help evolve the projects in the open under Eclipse Foundation governance.
- Sustain what you use: Support hosting, testing, and security through membership, sponsorship, or other financial contributions, collaborating with peers to keep essential open infrastructure strong.
Investing now helps ensure the systems you depend on remain resilient, secure, and accessible for everyone.
Looking ahead
The growth of Open VSX and Eclipse Temurin underscores their value and importance. They have become cornerstones of modern development, serving a global community and fueling innovation across industries. But growth must be matched with sustainability. Because those who benefit most have not always stepped up to support these projects, we are implementing measures such as rate limiting. This is not about restricting access. It is about keeping the doors open in a way that is fair and responsible.
We are at a turning point. The future of open source infrastructure depends on more than goodwill. I remain optimistic that we can meet this challenge. By working together, industry and the open source community can ensure that these vital systems remain reliable, resilient, and accessible to all. I invite you to join us in honouring the spirit of open source by aligning responsibility with usage and helping to build a sustainable future for shared digital infrastructure.
Empowering Cloud Autonomy and Interoperability: Introducing Eclipse Cloud
The Eclipse Foundation is excited to announce the formation of the Eclipse Cloud Interest Group, aimed at empowering cloud providers, users, and industry vendors to independently build, manage, and operate cloud services, promoting freedom from vendor lock-in, interoperability, and resilience across diverse cloud environments.
Why This Matters
In today’s digital landscape, the need for flexible, scalable and interoperable cloud solutions has never been greater. Vendor lock-in can stifle innovation, limit choices, and create unnecessary barriers for cloud users. The Eclipse Cloud Interest Group believes that cloud autonomy and interoperability are the keys to unlocking the full potential of cloud technologies. Imagine being able to switch between cloud providers seamlessly, adopt services that best meet your needs, and ensure your operations remain resilient no matter the platform. That’s the vision we’re working to achieve.
How We’re Making a Difference
This initiative doesn’t prescribe specific technologies or methods for building cloud infrastructure and service. Rather, it focuses on creating a framework for interoperability and portability. Key components like virtualisation, containerisation, orchestration, observability, billing, and identity management should be accessible, switchable, and manageable across different platforms. The goal? To make multi-cloud environments not just possible but practical and efficient.
To support this goal, the group will focus on several key areas, including the emergence of critical cloud components necessary for the development of autonomous cloud infrastructures, cloud service portability, and multi-cloud managed services interoperability. The group will also investigate ways to ensure that cloud services not only meet interoperability requirements but also adhere to expected quality, performance, and service level standards.
Our work is rooted in open source technologies, which already power much of today’s cloud infrastructure. By leveraging existing projects like Eclipse Xpanse (portable managed services), Biscuit (decentralised authentication), the Eclipse Conformity Assessment Policy and Credential Profile (standards compliance), and XCP-ng (high-performance enterprise virtualisation), we’re building a strong foundation to empower developers and organisations alike.
Aligned with EU Values
The Eclipse Cloud Interest Group aligns closely with the European Union’s Data Act, which emphasises switchability between cloud providers. By supporting these regulatory goals, we’re helping to advance digital sovereignty and strategic autonomy, ensuring Europe remains at the forefront of innovation while protecting user choice and independence.
What’s Next?
We’re just getting started, but the Eclipse Cloud Interest Group already has strong support from organisations like Clever Cloud, Gaia-X, Vates, and Overnet. Together, we’re laying the groundwork for the future of cloud services, with plans to evolve this Interest Group into an Eclipse Working Group to drive specifications and development activities.
Join Us!
Whether you’re a cloud provider, user, vendor, or part of the broader open source community, we invite you to join us in shaping the future of the cloud. Together, we can create a more autonomous, flexible, and interoperable cloud ecosystem.
The Eclipse Cloud members will be this week at FOSDEM with a BoF session planned in Track C, Saturday February 1st 15:00. A number of workshops to present the Interest Group are also planned in Barcelona on March 3rd (collocated with the Mobile World Congress) and in London on March 31st (collocated with Kubecon). Don’t miss the opportunity to learn more firsthand!
Stay tuned for updates, opportunities to contribute, and ways to get involved. Subscribe to our mailing list and become part of this exciting journey toward a better cloud future!
Life at Eclipse 