Open Source Summit India 2026

Unpatched vulnerabilities don't break builds, but can compromise entire infrastructures. A single neglected CVE in an embedded device can be a ticking time bomb, potentially causing millions in damages. But in an ocean of CVE's known vulnerabilities, how do you achieve high detection rates without drowning in false positives?

This session touch bases the lifecycle of a CVE, their exploitability, including how CVSS scores are calculated. It then addresses "translation problem"-explaining why different OS ecosystems label and backport CVEs differently, often confusing automated scanners.

Next, the talk deep-dives into practical solutions, demonstrating how to use SBOMs to map dependencies and implement a semi-automated, custom scanning strategy on top of it to maximize threat detection.

Finally, it focuses on practical application within the Yocto Project. The session explores "sustainability loop," sharing tips for applying security patches and version upgrades without breaking the build and dicusses why hoarding local patches creates crushing technical debt, and why pushing fixes upstream is the most strategic, secure choice for both their organization and open-source community.