I was among the delegation of “open source experts” invited to the UN Open Source Week 2026 in New York City by the Sovereign Tech Agency. Thank you to the Sovereign Tech Agency for inviting and supporting my stay and travel for the event. Thanks to Alpha-Omega for sponsoring my position at the Python Software Foundation.

UN Open Source Week is a week-long event with a different focus for each day. In order, the focuses were: Maintain-a-thon (UN Tech Over), Open Source × AI, Digital Public Infrastructure Day, OSPOs for Good, and Community Day. The event is structured into a series of presentations, panels, parallel sessions, interactive break-outs that start in the morning and carry on through into the evening at local partnered events.

md5-492b4706b25b6b5a706ebc9c687627b7

After speaking with many folks and attending a week of sessions, there were themes that carried through the entirety of the event:

md5-f8b84dbee556fda17b9c575170e32a70

There was also plenty of hope in the sessions, too. Similar to last year, I left feeling that Open Source was a critical component for overcoming the challenges ahead and that organizations around the world knew this acutely.

Multiple speakers asked those involved with Open Source projects to see how their projects aligned with the 17 Sustainable Development Goals, including quality education, clean energy, industry and infrastructure, and many more. Having done this exercise, I highly recommend others do so, too.

md5-65dc47ad3e9a47aac6e351bc63c61de6

The Sovereign Tech Agency was the partner hosting the second “Maintain-a-thon” as a part of the first day of UN Open Source Week. This year the day was split into two parallel tracks: “Technical Maintenance” and “Capacity & Stewardship”.

Mirko Swillus and I hosted a session in the Technical Maintenance track titled “The Vulnerability Flood: Open Source Security in the Age of LLMs”. The session would discuss how LLMs were affecting vulnerability handling and security teams and how we might better plan for potential futures. We began the session by setting context around how LLMs were already changing security, such as:

md5-bba2f85c103d207b7afb4339ca76033f

The session proceeded into an interactive exercise to draw potential topics for deeper small-group discussions from participants using sticky notes. The three topic-clusters ended up being “People”, “Process”, and unsurprisingly “AI”.

The “People” group discussed offering mental health programs for Open Source maintainers to better handle stress, burnout, and succession planning and highlighted the difficulties in defining what it even means to be a maintainer in terms of a “job description”.

The “AI” group discussed the critical junction for handling unmaintained software in a world of agents and faster time-to-exploits, focusing on the question: “Fix or rewrite?”. Clearly rewrites should be a last-resort and are fraught with challenges, such as introducing more bugs and security issues due to a large volume of new code. The group highlighted challenges and potential solutions around LLM use for Open Source projects in handling the flood of security reports.

The “Process” group discussed the weakening value of secrecy when it comes to vulnerability reports discovered using LLMs. Historically secrecy was kept to protect users, but if public models are able to find issues then who does this aspect of coordinated-vulnerability disclosure actually help? (Attackers). The Linux kernel is already experimenting with having less secrecy involved in vulnerability handling.

md5-d373b6518a9c4530f236408a993b2e6d

md5-7006185d810ca607d2c60c31995ea61d

md5-a68445730fff1968d79963410d750bb6

At the reception for Open Source × AI Day there was an additional panel session focusing on LLMs and security. One of the most interesting talking points of this panel was the restrictions being placed on “Frontier” models with cybersecurity capabilities. Earlier in the week, GLM-5.2, an open weights model had been released and folks already had begun testing the model’s cybersecurity capabilities and found them to be already quite capable.

The panel noted how open weights models appear to be fast-following “Frontier” capabilities with a delay between 6-12 months, implying that we may not need to wait long for an open weights model with Mythos-like capabilities to become available. This is based on speculation, but there are many implications for this are... interesting, to put it lightly. :)

Wow, you made it to the end!

• Share your thoughts with me on Mastodon, email, or Bluesky.
• Browse this blog’s archive of 186 entries.
• Check out this list of cool stuff I found on the internet.
• Follow this blog on RSS or the email newsletter.
• Go outside (best option)