LINEAJE AI LABS

Lineaje AI Labs is dedicated to informing and addressing the most pervasive software supply chain security risks organizations face today

In the Age of AI, Assume all Vulnerabilities Are Exploitable

The introduction of reachability tools made us feel safer believing that a very small percentage of these vulnerabilities are exploitable, and even fewer are reachable. However, AI is changing how we think of vulnerability prioritization.

Researchers from Cornell University recently published an article that GPT4 can now write exploits for one-day vulnerabilities from the CVE Advisory information for 87% of vulnerabilities.

So effectively, almost all vulnerabilities are now exploitable. Deferring vulnerability fixes is now riskier, and asking developers to address this incremental security risk grinds innovation to a halt. 

The Fix

Vulnerabilities are tied to direct and transitive components. Developers should only patch direct dependencies. Patching transitive dependencies that direct dependencies have not picked up requires deep software structure data.

Adopt a self-healing software supply chain.

Open-Source Sofware is not Trustworthy

Nearly 7% of components are of dubious origin, and even ‘trustworthy’ ones may carry hidden risks

% of Components

Trustworthiness

What it means

Implication

Potential Threat

6.96%

Dubious Origin

The component does not exist where the open-source component your developers sourced asserts to originated from.

Stop Ship: Your software contains unknown components

Revival hijack
SC-Attacks

Variable

Tampered

The component exists in open-source, but what your software contains is provably different.

Stop Ship: Your software contains components that are clearly “updated”.

3CX
XZ
SolarWinds

0.47%

Minimally Accepted Trust Level

The component used in the parent is exactly what was published by the open-source developer who published that component.

Minimally Acceptable Integrity: Attestation for all components in your software

While the component is trustworthy, its dependencies may not be.

92.57%

Trustworthy

The component used in the parent is exactly what was published by the open-source developer who created it.

Known Origin, Attested Software Integrity.

Certified original. While the component is trustworthy, its dependencies may not be.

Criteria

Description

Count

%

Unmaintained

No fix in the last 2 years

806

48.3%

Well maintained

Fix available in last 6 months

541

32.4%

Maintained / Grey OSS

Fixed in last 6 months to 2 years

323

19.3%

The Fix

Use only trusted open-source software

Get Open-source Software Insights

Software Supply Chain Security Is Much More Complex Than SCA

Dependency Chains are Deep, Complex, and Diverse

An analysis of Apache eCharts used in 280,000 projects shows us the number of components and their main contributors up to 21 layers deep!

Open-source Contributors are Often Anonymous

Enterprises building private software, startups creating new Intellectual Property (IP), and software contractors writing software for their customers routinely contribute software under their names.
In fact all software commits in most serious enterprise software development shops can only come from verified developers committing code from secure, attested machines.
Open-source developers work from wherever they want, use personal devices, and frequently use anonymous and unverified accounts. They often choose to remain anonymous, which poses a higher risk than known, authenticated open-source contributors.
The number of unknown contributors from Russia is about half that of the United States, while unknown Chinese contributors are about a third of the U.S. figure.

Top 10 Unknown and hence risky contributions come from the following countries:

Country

Known Contributors

Unknown Contributors

%Known

%Unknown

United States

15,051

3,957

79.2%

20.8%

Australia

1,139

264

81.2%

18.8%

Canada

5,329

997

84.3%

15.7%

Brazil

6,189

1,070

85.3%

14.7%

Great Britain

5,071

783

86.6%

13.4%

Spain

5,071

783

86.6%

13.4%

Germany

9,272

1,392

86.9%

13.1%

Russia

16,141

2,178

88.1%

11.9%

Japan

1,519

138

91.7%

8.3%

China

4,002

286

93.3%

6.7%

Top 10 Countries with Hidden Risks from Unknown Open-source Contributors
Quick takeaway

United States contributors commit more code to open-source projects than those from any other country, with Russia following closely. However, a notable 20% of American contributors choose to remain anonymous, twice the ratio of Russian contributors and three times that of Chinese contributors.

Country

% Commits

United States

34%

Russia

13%

Canada

9%

United Kingdom

7%

Brazil

6%

Germany

3%

China

1%

New Zealand

1%

The Fix

Unify SCA scanning and get deep dependency analysis.

Try SCA360 for Free

Open-Source Vulnerabilities Are Rarely Fixed

Lineaje AI Labs analyzed all reported open-source vulnerabilities, and the data reinforces that open-source developers are great innovators but terrible maintainers; the vast majority of vulnerabilities are unfixed.  

Vulnerability Fix Distribution

Critical

High

Medium

Low

No Severity

Total

% with Fix Available

25%

24%

27%

33%

56%

39

% Exploitable

1.70%

0.70%

0.10%

0%

0%

0.30%

% with No Fix

75%

76%

73%

67%

44%

61%

The Fix

Request fixes for open-source software with no known fixes available

Request a Fix

Want to learn more about how to deliver zero-vulnerability software?

Talk to Us
Products
Full-Lifecycle Software Supply Chain SecurityGold Open SourceSCA360SBOM360SBOM360 HubThird Party Risk ManagerLineaje AI
Use cases
Eliminate Vulnerability ExposureKnow What’s in Your SoftwareDeploy Self-Healing ContainersFix All Vulnerabilities AutomaticallyComply with Global Regulations
cOMPANY
About UsPartnersContact UsSummits
rESOURCES
BlogFeatureHubLearning CenterNews & Coverage
© 2025 Lineaje Inc
Terms & Conditions
Privacy Policy