We’d love for this to be true... most images fill up with CVEs so fast in dependencies, we’re providing minimal images (much less surface area) and have the automation to rebuild the entire dependency graph at least daily, if not multiple times per day.
Hopefully everyone will run a "proper security program" someday!
It can be true for you if your correct your thinking on the problem.
CVEs are basically just bugs that are not triggered by normal operation. If you race to "fix" them all, you are going to drown (as you are discovering).
Focus on your solution for tracking actively exploited vulnerabilities and a prioritization system and you'll greatly simplify the problem while better serving your customers.
well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.
thanks! say more about what you mean... you're saying instead of:
Secure, Sustainable Open Source
Partner with SecureBuild to offer secure, vulnerability-free builds of your open source project while generating recurring software revenue, no support contracts required.
More about what you actually do -- I'd suggest something like "Secure, Sustainable Open Source: We partner with open source projects to monitor their upstream dependencies for security fixes, and automatically rebuild and distribute our partners' projects with those fixes. Our partners don't have to change what they do, and we share 70% of our subscription revenue with them."
Also:
> New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.
Surely this should be "New SecureBuilds are created whenever upstream fixes for CVEs are available" -- you cut new builds for the fixes, not the bugs, no?
nice to see this on the front page of HN, I'm one of the creators of EnterpriseReady (and the host of the podcast: https://enterpriseready.io/podcast) happy to answer questions or take feedback!
I did this interview with Mitchell about 18 months ago (time flies), given their IPO yesterday it feels like a great time to look back at the early lessons learned from building an iconic open source, developer tooling company.
Honestly it depends. I've helped a two companies I've angel invested in wind down, it isn't fun and a lot of other investors walk away. As a founder you have a good amount of your reputation wrapped up in this company, so how you exit is how you'll be remembered. If you're the CEO, you should probably to stay on to wind it down, make sure you leave some cash to close out bills (lawyers etc). If you have revenue and a decent team you might be able to "soft land" it to a bigger co for about the amount of $ that you raised (in new co stock for investors) and retention packages for the team.
If you're not the CEO, you have less responsibility to stay (but might reduce the value in a soft landing), very situation specific. From your quick description of what you might do and what you've liked doing, you'll be a great resource to any team... but if you're technical and like spending time with customers you'll be VERY valuable to a technical company (on either the business or engineering side honestly).
If you are looking, would love for you to consider Replicated. We're 100% remote, deeply technical, recently raised a Series C and have lots of openings for technical folks: https://www.replicated.com/careers (and since our customers are other enterprise software companies, your experience is likely valuable). Feel free to email me directly: grant at replicated (same invite for other HN folks if this sounds interesting).
Co-founder of Replicated here, a bit late to the party but happy to answer questions. Also, very important to highlight the unique aspect of this program... we now reimburse a MONTHLY home office expense (using the IRS calculation % of square footage of home). We're paying a portion of your rent or your mortgage (as much as the IRS allows), plus other cool benefits.
This is great. I feel the same way, but have been trying to train the existing YT algorithm. I started using my work email youtube profile to actively subscribe/like/save videos that I want to see more of (about hiring, management, culture, Kubernetes, devtools etc). At the same time I aggressively choose "not interested" and "do not suggest this channel" when the algorithm isn't suggesting what I want (more detail: https://twitter.com/GrantM/status/1325471071265558532).
I'd rather skip a meal than eat fish. In fact the last time I ate fish was 22 years ago during my compulsory military service which I still have nightmares of (but not because of the fish).
Sounds similar to how I trained my TikTok feed while I was playing around with it for a week - repeatedly clicking on not interested for dancing, cooking, and general youth stuff left me with a feed composed of nature videos - pretty cool.
On a side note, tiktok has to have the best recommendation algorithm possible - not good for us, but good as in addicting.
In my experience the YouTube algorithm is very easily manipulated. Just scroll through your feed and select "not interested" for what you dislike. The type of content changes very quickly.
Over the years I’ve probably „blocked“ every single term from the Star Wars universe. Yet as soon as the next iteration of the franchise approaches box offices I find myself flooded with the most absurd cross-marketing videos you can imagine. Not talking about (official) ads. I have the strong impression the algorithm either takes ad campaigns into account — or is being abused by advertisers very successfully.
Makes sense, ads are payed per impression, so if a company soaks away more impressions that don't lead to actions then that means more revenue. I guess the trick is to make sure your still - only just - the best cpm around.
Hopefully everyone will run a "proper security program" someday!