Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

Cybersecurity AI

Why Open Source Security Can't Wait: AI Risks Are Already Here | Hilary Carter, Linux Foundation

•June 16, 2026

The Linux Foundation

The Linux Foundation•Jun 16, 2026

Why It Matters

As AI speeds exploit discovery, organizations must treat open-source security as urgent strategic risk management; projects with strong community governance, supply-chain tooling, and certification readiness (like Zephyr) will be best positioned to meet regulatory and market demands.

Summary

Hilary Carter of the Linux Foundation said her team’s research shows open-source collaboration and community governance deliver outsized value beyond code, from sustainability to trust and resilience. She highlighted Zephyr’s decade-long growth and strong security culture—citing widespread planned adoption, SPDX/SBOM use, and Cyber Resilience Act readiness—as a model for embedded and resource-constrained systems. Carter warned that AI accelerates discovery of vulnerabilities, making proactive, transparent open-source security practices and certifications essential. She framed open source as both the fastest-moving innovation model and the best platform to scale security responses across industries and geographies.

Original Description

Open source software powers critical infrastructure, embedded systems, and enterprise platforms worldwide, yet the security practices and economic value behind it remain poorly understood. As AI-generated code accelerates contribution velocity and introduces new classes of vulnerabilities, organizations need empirical data, not assumptions, to make sound decisions.

In this exclusive interview with Swapnil Bhartiya at TFiR, Hilary Carter, SVP of Research at The Linux Foundation, shares findings from more than 100 studies produced over five years of research into open source dynamics, security, community health, and economic value. Carter covers the Zephyr RTOS at its 10-year milestone, the dual-edged impact of AI on open source security, and an upcoming ROI study targeting the energy sector.

Key Topics Covered:

- Zephyr RTOS at 10 years: community growth metrics, Cyber Resilience Act compliance positioning, and why 69% of survey respondents plan to increase or significantly increase their use of Zephyr

- How AI is simultaneously accelerating vulnerability detection and reintroducing insecure code through vibe coding in pull requests and commits

- The Linux Foundation Research AI disclosure framework and where AI is and is not used in the research process

- ROI of open source contribution across three forms: code, community, and financial, including why energy utilities require a separate economic model

- Survey integrity challenges posed by AI agents gaming research studies, and why human engagement in open source has never been more critical

Read the full story and transcript at www.tfir.io

#OpenSource #LinuxFoundation #ZephyrRTOS #OpenSourceSecurity #AICode #VibeCoding #EmbeddedSystems #CyberResilienceAct #OpenSourceROI #SBOM #OpenSSF #SPDX #IoTSecurity #DevSecOps #OpenSourceResearch

Comments

Want to join the conversation?

Loading comments...