Open Source
Cybersecurity statistics about open source
Related Topics
Showing 1-20 of 53 results
In the first 63 days of the Anthropic Claude Mythos Preview, Mythos disclosed 1,596 verified vulnerabilities across 281 open-source projects.
Only 6.1% of Mythos disclosures are marked as patched, despite 90.9% maintainer acknowledgment.
The Axios NPM package was downloaded 100 million times per week.
Malware operators compromised 350 GitHub repositories to inject malicious code into JavaScript and Python projects.
89% of UK IT decision makers agree that public policy and regulation should mandate open source principles such as transparency and auditability to help organisations achieve AI sovereignty.
IT decision makers say the most valuable open source benefits for building trust in AI over the next three years are transparency and easier auditability (87%), more customisation for business and regulatory needs (82%), and greater control over how AI is built and where it runs (80%).
80% of IT decision makers see open source as providing greater control over how AI is built and where it runs.
Fewer than half of organizations plan to increase budgets for 2026.
Only 21% of organizations enforce protections like cooldown periods.
81% of organizations name OSS malware a top security priority.
88% of IT professionals across DevOps, Security, and Software Engineering roles say the first few days after a package release are the riskiest.
In 2025, 92% of npm account takeovers occur.
For of open-source users on enterprise teams, the greatest enemy of security is the uptime mandate.
Roughly two-thirds (65.7%) of businesses spend 10 hours or less per month on Linux maintenance.
At least 43% of enterprises that use open-source technology report a mechanism in place to monitor whether those technologies are active, in maintenance, or EOL (7.5%do not track; 4.2% are unsure).
Organizations relying on public project documentation are most strongly represented among those discovering EOL during regular dependency reviews (57.1%).
Organizations in the 1,001–5,000 employee band are the most reactive, with 69.1% discovering EOL status only after something breaks or a vendor notifies them.
Teams that surface EOL through dependency reviews (74.3%) or security scanning (69.7%) most often choose upgrades, suggesting planned remediation is more feasible when signals arrive earlier.
When EOL is identified through breakage or compatibility failures, reliance on ELS/vendor patching rises (59.7%) while upgrades are least common (18.2%).
A majority of surveyed organizations report using fewer than 100 direct open-source projects or libraries in production, with the largest share (~35%) clustered between 25 and 99.