Presented by

  • Sean O'Brien

    Sean O'Brien
    @profdiggity@privacysafe.social @profdiggity
    https://profdiggity.com

    Sean O’Brien is Deputy Director of the Free Software Foundation and has more than two decades of experience in free software. He is founder of Yale Privacy Lab and an Associate Research Scholar at Yale Law School, as well as Director of the Cybersecurity and Computer Science Programs and Assistant Professor at Bay Path University. At Ivy Cyber, "Prof Diggity" develops the curriculum of remote classes and guides the PrivacySafe secure hardware and software products. Sean's expertise has appeared in The New York Times, Wired, AP, NBC, Popular Science, Forbes, The Financial Times, and more.

Abstract

Free software has always carried a powerful security promise: when source code is available for public review, more people can inspect it, improve it, and help find vulnerabilities before they cause harm. That promise still matters. But over the past year, large language models (LLMs) and so-called "generative AI" have changed the conditions under which free software projects, maintainers, bug bounty programs, and hosts of software repositories and essential communication infrastructure operate.

This talk examines how LLM-powered software has intensified long-standing challenges in free software cybersecurity. Maintainers and security teams now face a flood of automated vulnerability reports that are duplicative, low quality, "hallucinated," or only superficially understood by the pentesters submitting them. For bug bounty programs, this creates a costly triage burden. Reports that once represented careful human review are increasingly mixed with LLM-generated "AI slop," making it harder to identify real risk, reward meaningful research, and preserve trust between free software projects and ethical hackers.

At the same time, hype around LLM-powered security scanners and proprietary exploit repositories has created new pressure on free software communities. Proprietary products such as Claude Mythos and OpenAI Daybreak promise faster vulnerability discovery and automated exploit generation. For maintainers, these tools often mean more attacks, more disclosures, more automated probing by unknown third parties, more speculative findings, more duplicated reports, and the possibility that exploit knowledge derived from public code is being stockpiled in private collections that can produce zero day vulnerabilities affecting their projects at any moment.

Serious vulnerabilities in essential free software are being published with alarming regularity, often without adequate preparation or patching timelines. This includes privilege escalation and root access exploits that target millions of systems. The problem is not simply code quality or technical debt. Free software infrastructure itself is under strain. Source code repositories, package mirrors, issue trackers, and CI/CD systems are being hit by constant scanning, scraping, automated dependency analysis, and opportunistic attacks. These pressures increase bandwidth costs, slow software sharing and patching, and expand the attack surface for software supply chain compromise.

The talk will connect these issues to broader network abuse. Botnets such as Aisuru and waves of DDoS attacks are making access to free software more fragile and expensive. Hosting code, documentation, packages, and community services now carries rising costs in labor, bandwidth, energy, and mitigation.

Drawing on popular examples like the Linux kernel and curl, personal instances of DDoSing and attacks from botnets, professional experience running bug bounty programs, issues with so-called "cloud" hosted free software such as Canvas, and the day-to-day operations required to host major projects such as GNU at the Free Software Foundation (FSF), this session argues that we need a frank conversation about free software against the backdrop of LLM tooling.

The goal is not to retreat from software freedom. We must preserve source availability, public review, and community-based cybersecurity while asking what must change when many new "eyeballs" are automated, careless, inaccurate, or hostile.