AI, open code and vulnerability risk in the public sector (UK)
8 hours ago
- #open source policy
- #public sector vulnerability management
- #AI security
- Public sector should maintain open-by-default policy for publishing source code, with limited exceptions.
- Primary exploitation risk comes from system weaknesses, not code publication, but AI can speed up vulnerability discovery.
- Minimum operational standards are required for publicly-accessible systems, including clear ownership, secure-by-design practices, automated hygiene, and rapid remediation.
- Exceptions to openness must be explicit, reviewable, and based on specific threat models, not used to compensate for inadequate maintenance.
- AI accelerates vulnerability detection, shortening discovery-to-exploit windows, making strong remediation capabilities essential.
- Private repositories can create false security and reduce reuse and scrutiny; focus should be on secure architecture and rapid patching.
- Unmaintained code should be archived or decommissioned, and systems must meet minimum standards before considering closure.