frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Show HN: SecureBuild – Zero-CVE Images That Pay OSS Projects

https://securebuild.com
21•grantlmiller•4h ago
We're launching SecureBuild: https://securebuild.com — a new way for open source projects and maintainers to earn revenue by partnering with and endorsing our Zero-CVE container images of their project.

We’ve spent the last decade at Replicated (https://news.ycombinator.com/item?id=9841243) helping commercial and open source software vendors securely distribute their apps to enterprise environments. During that time, we saw firsthand how hard it is for maintainers to fund their work, and how increasingly demanding enterprises have become when it comes to demonstrable security and scanning.

SecureBuild is our attempt to bridge that gap. Built on top of Wolfi (https://news.ycombinator.com/item?id=36489847), we provide Zero-CVE container images with tight SLAs, full SBOMs, etc, but we route 70% of direct subscription revenue back to the open source projects that create them.

We’re especially interested in partnering with open source maintainers who want to make their projects more secure and sustainable without changing licenses. We handle builds, hosting, sales, patching, and customer delivery.

I'm Grant (https://news.ycombinator.com/user?id=grantmiller), co-founder of Replicated & co-creator of SecureBuild, working with my co-founder Marc Campbell (https://news.ycombinator.com/user?id=marcc). We hope this can be part of a broader push toward a more secure, economically sustainable future for open source.

Happy to answer questions and share more details!

Comments

dhorthy•3h ago
this looks cool - your homepage video should open with what it is though!
grantlmiller•3h ago
thanks! say more about what you mean... you're saying instead of: Secure, Sustainable Open Source Partner with SecureBuild to offer secure, vulnerability-free builds of your open source project while generating recurring software revenue, no support contracts required.

we should say something different?

siggy•2h ago
thanks for sharing. what's the onboarding process look like? if i'm maintaining my own Dockerfiles today, do you or I evaluate and port those to SecureBuild/Wolfi?
marcc•2h ago
We work together on it. Assuming you have a build process and dockerfile (we all do), generally our team can get you listed in the catalog quickly.

It's not too much work since we built on an existing set of tools (melange & apko). I've actually found that putting a Dockerfile into ChatGPT generates a really good first iteration.

cube00•1h ago
> New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.

Aren't most SecOps pushing 48 hours as the absolute limit for critical vulns or are ours just being extra pushy?

marcc•1h ago
We often deliver in way less than 6 days but sometimes the dependency tree is deep for a patch.

I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that.

grantlmiller•1h ago
the goal is going to be 6 hours!
mike_d•58m ago
> I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that.

You seem to fundamentally not understand security. A proper security program should never be driven by an auditors expectations or even used as a reasonable guideline.

Don't track CVEs and SLAs in days. You need to have patches out before active exploitation in the wild begins, that is the only metric that matters. Go talk to Greynoise about how to get that data.

grantlmiller•46m ago
We’d love for this to be true... most images fill up with CVEs so fast in dependencies, we’re providing minimal images (much less surface area) and have the automation to rebuild the entire dependency graph at least daily, if not multiple times per day.

Hopefully everyone will run a "proper security program" someday!

mike_d•16m ago
It can be true for you if your correct your thinking on the problem.

CVEs are basically just bugs that are not triggered by normal operation. If you race to "fix" them all, you are going to drown (as you are discovering).

Focus on your solution for tracking actively exploited vulnerabilities and a prioritization system and you'll greatly simplify the problem while better serving your customers.

jenny91•56m ago
The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.
grantlmiller•47m ago
well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.

One Week Out, Some Brief Thoughts and Observations on WWDC 2025

https://daringfireball.net/2025/06/some_brief_thoughts_and_observations_on_wwdc_2025
1•tosh•1m ago•0 comments

Mexico: "The New China" According to Philippa Malmgren

https://mexicodailypost.com/2025/06/08/mexico-the-new-china-according-to-philippa-malmgren/
1•walterbell•2m ago•0 comments

Kilauea volcano errupts, lava more than 1k feet high [video]

https://www.youtube.com/watch?v=oG5zz9Sjw3E
2•asix66•3m ago•0 comments

AI Hallucinations: Provably Unsolvable – What Do We Do?

https://www.mindprison.cc/p/ai-hallucinations-provably-unsolvable
2•mucha•4m ago•0 comments

Smartphones: Parts of Our Minds? Or Parasites?

https://www.tandfonline.com/doi/full/10.1080/00048402.2025.2504070
2•cratermoon•4m ago•0 comments

Atfllm

https://ninjasandrobots.com/atfllm
2•nate•4m ago•0 comments

Python-Importtime-Graph

https://simonwillison.net/2025/Jun/20/python-importtime-graph/
1•amrrs•5m ago•0 comments

Vault-Agnostic Secret Management

https://adaptive.live/blog/a-vault-agnostic-future-for-secrets-management
1•debarshri•5m ago•0 comments

Brad Feld – LLM's Just Lie

https://feld.com/archives/2025/06/llms-just-lie/
1•rmason•6m ago•0 comments

Show HN: Logic Fang – a mutation-aware logic tracer that hunts semantic drift

https://github.com/Mr-Sherif-1/LogicFang-fuzz-firewall
1•Mr-Sherif-1•6m ago•0 comments

Screen reader for devices running SteamOS

https://steamcommunity.com/games/593110/announcements?snr=1_2108_9__2107
2•Venn1•7m ago•0 comments

Agentic Misalignment: How LLMs could be insider threats

https://www.anthropic.com/research/agentic-misalignment
2•davidbarker•8m ago•0 comments

Addressing fear, uncertainty and doubt thrown at Element and Matrix

https://element.io/blog/addressing-fear-uncertainty-and-doubt-thrown-at-element-and-matrix/
1•LorenDB•9m ago•0 comments

It's True: The Jaws Shark Is Public Domain

https://ironicsans.ghost.io/how-the-jaws-shark-became-public-domain/
2•MBCook•11m ago•0 comments

Honda successfully launched and landed its own reusable rocket

https://www.theverge.com/news/689183/honda-reusable-rocket-successful-launch-test-landing
1•fuzzythinker•13m ago•1 comments

Open Sourcing Any Distance

https://kuntz.io/blog/any-distance-oss
1•ezekg•15m ago•0 comments

Making Sense of a Noisy World

https://ordep.dev/posts/opinions-on-trends
1•ordpedev•15m ago•0 comments

Inside the 'Dragon Age' Debacle That Gutted EA's BioWare Studio

https://www.bloomberg.com/news/articles/2025-06-11/inside-the-dragon-age-debacle-that-gutted-ea-s-bioware-studio
1•trevortheblack•16m ago•0 comments

MIT student prints AI polymer masks to restore paintings in hours

https://arstechnica.com/ai/2025/06/mit-student-prints-ai-polymer-masks-to-restore-paintings-in-hours/
1•gametorch•16m ago•0 comments

Engineered Meta-Cognitive Workflow Architecture for Windsurf

https://entrepeneur4lyf.github.io/engineered-meta-cognitive-workflow-architecture/
2•handfuloflight•17m ago•0 comments

Postgres Weekly 19th June 2020

https://postgresweekly.com/issues/604
1•khurs•18m ago•0 comments

EU Eyes Ditching Microsoft Azure for France's OVHcloud

https://www.euractiv.com/section/tech/news/scoop-commission-eyes-ditching-microsoft-azure-for-frances-ovhcloud-over-digital-sovereignty-fears/
15•doener•19m ago•1 comments

Show HN: Onri, the Google Map for micro-learning

https://onri.ai
1•ru6xul6•21m ago•0 comments

Cluely raises $15M led by a16z

https://a16z.com/announcement/investing-in-cluely/
1•colesantiago•21m ago•0 comments

Haveli Investments to buy Couchbase for $1.5B

https://www.reuters.com/legal/transactional/haveli-investments-buy-ai-database-firm-couchbase-about-15-billion-2025-06-20/
2•ergl•23m ago•0 comments

How Astronomers Will Deal With 60 Million Billion Bytes of Imagery

https://www.nytimes.com/2025/06/20/science/vera-rubin-telescope-data.html
2•perihelions•24m ago•1 comments

Ask HN: X account hacked again – no email when attacker changed the email? How?

4•hadaoaxb•25m ago•0 comments

YC: Digital Superintelligence, Multiplanetary Life, How to Be Useful [video]

https://www.youtube.com/watch?v=cFIlta1GkiE
1•onemoresoop•26m ago•0 comments

Show HN: wasque – Lightweight Cloudlare Warp Proxy Container for Linux

https://github.com/Diniboy1123/wasque
1•MaryJohanna•28m ago•0 comments

Uncut Paper Currency

https://www.usmint.gov/shop/paper-currency/
2•bookofjoe•29m ago•0 comments