Bridging the Gap Between Code and Research: Why SCORED ’26 Matters for Open Source Security

By Justin Cappos, OpenSSF Ambassador, Professor at New York University

Introduction: The Evolving Threat Landscape

Let’s be completely honest about how we’ve historically handled security research: academia and open source practitioners have basically been living on two different planets.

In academia, the primary incentive is publishing, and the magic word is novelty. Because of that, there’s a strong tendency for researchers to write papers that build on what other academics think the problems are, without ever really talking to the people maintaining real-world projects. Meanwhile, open source software is now used in a staggering 98% of all codebases. It is literally the digital foundation of the modern world, and we desperately need more people with the dedicated time and energy to look deeply at its vulnerabilities.

But a paper doesn’t secure a repository if a maintainer can’t actually deploy it.