Why this matters now
Open source is no longer a quiet background player-it’s the backbone of modern software. According to a recent study, open source packages are growing at ~25% year over year, but vulnerabilities are growing almost 4x faster. From 2017–2025, the number of reported vulnerable packages jumped by 98% YoY, outpacing ecosystem growth dramatically.
This widening gap is made worse by GenAI. The boom in model releases, orchestration frameworks, and tooling is fueling even more open source activity-and in turn, more exposure. (We wrote about this dynamic in The Hidden Security Debt of AI-Generated App Sprawl).
Weaponization is accelerating
It’s not just that vulnerabilities are being discovered faster. They’re being weaponized faster too.
Valmarelox recently demonstrated an AI-driven system that can generate working exploits for new CVEs in 10–15 minutes at a cost of about $1 per CVE. Exploit creation is being industrialized-and commoditized.
Detection is no longer the hard part. Exploitation isn’t either. That leaves remediation speed as the last lever defenders can pull.
Upgrading is hard (and getting harder)
If only remediation kept up. But it doesn’t.
The same arXiv study shows vulnerabilities are lingering longer in ecosystems, with vulnerability lifespan increasing significantly between 2017 and 2024.
Meanwhile, industry data (e.g., Kenna Security) shows that the median time to remediate a critical vulnerability still sits in the range of 100+ days-an eternity when exploits emerge in hours.
A few weaknesses dominate the landscape: just 7 CWEs account for more than half of all reports. These aren’t exotic issues-they’re the same, recurring flaws surfacing again and again.
Upgrades should help, but as we argued in The Hidden Cost of Keeping Up: Why Dependency Upgrades Are So Hard, organizations often struggle with compatibility, testing, and resource drain.
Regulators are shortening the clock
Regulators see the writing on the wall and are collapsing patching timelines.
The draft FedRAMP Continuous Vulnerability Management standard sets aggressive remediation targets:
- Internet-reachable, credibly exploitable vulnerabilities: fix within 3 days.
- Non-internet-reachable vulnerabilities: 7–21 days, depending on severity.
- Continuous scanning (or at least every 3 days externally).
- Alignment with CISA KEV deadlines.
This isn’t hypothetical. It’s an active RFC that will soon shape how cloud providers, SaaS vendors, and federal suppliers are expected to operate.
We must patch much faster
The story is clear:
- Detection is commoditized.
- Exploitation is being commoditized.
- Remediation speed is the only durable lever left.
And right now, it’s the weakest link.
How to close the speed gap
Closing the gap requires automation, defaults, and discipline:
- Auto-patching by default: CI/CD pipelines that automatically apply drop-in dependency patches with guardrails (canary + rollback).
- Secure-by-default baselines: Ship hardened configurations and least-privilege defaults to buy time when patches lag.
- Continuous inventory & SBOMs: Keep a live dependency graph so the question “where is this vuln?” can be answered instantly.
- Golden upgrade paths: Standardized frameworks that reduce the “upgrade tax” (see Why Backporting Is Your Secret Weapon).
Closing note
The math is brutal: open source is growing 25% a year, but vulnerabilities are growing 98% a year. AI can weaponize new bugs in minutes. FedRAMP wants fixes in days.
The only sustainable answer is to automate remediation and ship secure defaults-because patching in months is already too late.
