Announcing the 2017 State of Open Source Security Report

Tim Kadlec's avatar Tim Kadlec

Today we’re excited to launch the 2017 State of Open Source Security Report! You can download the full report as a free PDF, or visit for an overview of the findings.

Open source is awesome and rapidly growing. The more businesses that rely on it for their applications, the more critical it is that we ensure that the components we build and use are secure. The State of Open Source Security Report takes a high-level view of the open source security landscape, zeroing in on where we are today, and we can do to be more secure tomorrow.

The report pulls data from a survey we ran back in September of over 500 open-source users and maintainers (a huge thank you to everyone who responded!), Snyk internal data based on more than 40,000 projects, as well as information published by Red Hat Linux and data we gathered by scanning millions of Github repositories and packages on registries. We worked with the wonderful folks at Sparkbox to get it all put together in a beautiful site and PDF.

The report uncovered a ton of interesting insights. For example, did you know that:

  • Open source library vulnerabilities increased by 53.8% in 2016, while Red Hat Linux vulnerabilities have decreased.
  • The median time from when a vulnerability in a package is first created to when it is disclosed is 2.5 years, but the median time from disclosure to a fix being released is only 16 days.
  • 79.5% of open-source maintainers say that they have no public-facing disclosure policy in place, and those that do are more than three times as likely to have a vulnerability disclosed to them privately.
  • Of 433,000 sites tested, 77% run at least one client-side JavaScript library with a known security vulnerability.

For more data like this, download the full report or visit

As we note in the conclusion of the report, securing open source is not something that will happen overnight. But together, with all of us making a concerted effort to take baby steps to improve our security posture, we can improve the state of open source security, and in the process, ensure that it remains a thriving and vibrant ecosystem.

77% of 433,000 Sites Use Vulnerable JavaScript Libraries

November 21, 2017

Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.

Exposed or not, vulnerabilities are dangerous

November 08, 2017

Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications