Backburning Open Source: Partnering with dotenvx to Find Vulnerabilities Before Attackers Do
Open source maintainers are defending critical software against attackers with more compute. Our dotenvx partnership shows how hardened packages can close the silent window.
Open source has a wildfire problem. Most of the code running the world is maintained by someone doing it for free on a weeknight. A model can now probe that code at machine speed, chain low-severity bugs into critical exploit paths, and test variants across thousands of downstream projects before any maintainer has opened their laptop. The defender is still one person on a weeknight. The attacker is a swarm. The time delta between a vulnerability existing and someone finding it, what we call the silent window, now favors whoever has more compute.
Donations will not fix this. They never scaled with risk. dotenv and a random date-parsing library get treated about the same. The only funding mechanism that matches the threat is the one enterprises already have to pay for. Security. SOC2 demands it. Insurers demand it. Regulators demand it.
So we decided to backburn. We built three things a maintainer can use today. A Mythos-like agent that probes their packages the way an attacker would and sends patches upstream. A trust score for every contributor that touches their code. And a scanner that checks incoming patches before they land. Together they give a single maintainer the security posture of a full team and compress the time delta from days to minutes. No vulnerability scanner does that.
We started with dotenvx. Scott Motte has maintained dotenv for over a decade. Millions of projects depend on it. We pointed our agent at dotenvx. It did not just scan for known patterns. It chained vulnerabilities together the way a real attacker builds a kill chain. It found real exploit paths. Mot patched them. The silent window closed before it opened to the public.
That partnership is the model we think scales. Enterprises pay for hardened packages. Maintainers earn income for hardening.
Open source does not need charity. It needs a product. And security is the only product where the buyer has no choice.
The packages that get hardened will get adopted. The ones that do not will quietly stop growing. That is the future we are building against.