Open Source Security

Josh chats with Sal Kimmich about the current state of everything, and what we can expect next. Sal has some incredible insight into what we can expect to see due to the current wave of security bugs and incidents. There are some new features we will need in both our hardware and software to ward off the state of things. Since those features are years away, what we need in the short term is shoring up our SDLC programs. Sal has some really good medical examples and analogies for this one. It's a huge problem but not insurmountable.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-06-verification-sal-kimmich/

Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it's ever been before. While finding vulnerabilities is easy, reporting them is still a lot of work. Casey is working on helping everyone better understand all this with his disclose.io project.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-vulnerability-disclosure-casey-ellis/

Josh talks to Hans-Christoph Steiner about F-Droid, the Free and Open Source Android App Repository. The way F-Droid works looks a lot like a Linux distribution which has some interesting security challenges, but also some great security benefits. Hans walks us through the current state of open app repositories and also what the future currently looks like. There are more open phones than ever before, but there are also more challenges than ever before. Hans breaks it all down in an easy to understand way.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-fdroid-hans-steiner/

Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat's time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress NGINX, was not. It's a super insightful discussion with a ton of lessons and advice for everyone.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-open-source-infrastructure-kat/

Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It's another episode filled with great and practical advice.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-testing-the-plan-david-bernstein/