The GitHub logo on a phone.
Image: Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

Crowdsourcing the open-source security problem

Protocol Enterprise

Hello and welcome to Protocol Enterprise! Today: why GitHub is opening its security database to the public, Microsoft’s new “Singularity” AI research computing project and some of the biggest recent funding deals in enterprise tech.


Spin up

Cloud infrastructure service providers offer a dizzying array of options, which is both a blessing and a curse for their customers. More than half of cloud customers said they find picking the right service the hardest part of controlling cloud costs.

With a little help from our friends

We’ve known about the shaky foundation of open-source software security for years, but in the wake of the discovery of the Log4j vulnerability last year, we’re starting to see more action.

After the Biden administration gathered leaders from across enterprise tech and open-source software communities to discuss how to improve open-source security, new initiatives from The Linux Foundation, Google, Microsoft and npm have all targeted the need for better security hygiene within open-source software. On Tuesday npm’s parent company, GitHub, rolled out a few changes to its database of known vulnerabilities that could allow developers better access to information in their daily workflow and an opportunity to share helpful details with their colleagues.

  • GitHub’s Advisory Database is now open to contributions from developers who might want to share detailed information about software vulnerabilities, such as the versions that are affected.
  • The Microsoft-owned coding repository also published the “full contents” of that database in a new format that will be available under a very permissive license, it said in a blog post.
  • “With community contributions, security researchers, academics, and enthusiasts will now be able to provide additional information and context to further the community’s understanding and awareness of security advisories,” GitHub’s Kate Catlin wrote in the post.

For more than 20 years, the CVE list has been the gold standard for official information on security vulnerabilities, but that information goes through a deliberate process.

  • Whenever a critical software vulnerability is discovered, it sets off a race between users of that software scrambling to defend themselves and hackers bent on exploiting the vulnerability.
  • GitHub users closer to the action don’t have the authority that an organization like CVE has, but they often have tips and tricks that could help users determine if they are affected by the vulnerability and what steps to take next.
  • An internal GitHub team will still review the submissions to guard against the expected craziness that always comes along with allowing the public to post things to the internet, and it will also use the Open Source Vulnerabilities format that allows computers to read and process the listings.

While the new endeavor appears to be a good-faith effort by GitHub to help find ways to improve an enormous industry-wide problem, it’s hard to overlook that it also helps GitHub’s long-term vision to be the central tool in a software developer’s toolkit.

  • Developers have lots of information resources at their disposal, but it’s not hard to imagine that information presented alongside their day-to-day coding tasks would decrease the incentive to go elsewhere.
  • Still, given the degree to which enterprise tech relies on open-source software to run its operations, more sources of information on security vulnerabilities are always helpful.
  • “By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software,” Catlin wrote.

— Tom Krazit (email | twitter)

A MESSAGE FROM CLARI

How do you maximize Sales and Marketing performance? Point them at the same targets. Watch the latest episode of Club Revenue on Nasdaq as Bhaskar Roy, Chief Marketing Officer at Workato, reveals his remarkable tactics so that Marketing and Sales can outperform.

Learn more

Microsoft wants to achieve singularity on the cheap

When used in relation to AI, the term “singularity” usually refers to a futuristic moment when artificial intelligence will become so advanced that it surpasses that of human intelligence, portending doom for us everyday brains. Not so at Microsoft, where the company has been growing a “Singularity” team that is building what the company calls a “planet-scale” AI supercomputer.

The company unveiled Singularity, a globally distributed workload scheduling service for deep learning, in a research paper that emphasized the need to lower the cost of building deep-learning systems, which require massive volumes of data and computing power. Several researchers from divisions across Microsoft including Azure wrote that the scheduler can preempt and elastically scale deep-learning workloads without affecting correctness or performance.

Amid moves away from deep learning fueled by massive datasets, companies like Facebook parent Meta and Microsoft are building infrastructure to enable development of AI requiring gargantuan amounts of information and processing power. Whether their endgame is singularity in the classic sense, we’ll have to wait and see.

— Kate Kaye (email | twitter)

Upcoming at Protocol

It’s never been easier to use multiple cloud providers for modern tech infrastructure needs, but should you use multiple cloud providers? Join our panel of experts next Wednesday, March 2 at 10 a.m. PT to hear more about the arguments for and against multicloud computing and how businesses should think about their options as the market evolves.


Protocol’s Tom Krazit will host the discussion featuring Priyanka Sharma, executive director of the Cloud Native Computing Foundation; Paul Cormier, CEO, Red Hat; and David Linthicum, chief cloud strategy officer, Deloitte. RSVP here.

Financial corner

Uniphore was valued at $2.5 billion after raising $400 million for its conversational automation tech.

Temporal hit a $1.5 billion valuation after raising $103 million to help enterprises write cloud applications.

Beyond Identity is worth $1.1 billion after raising $100 million to provide multifactor authentication for enterprises.

Timescale was valued at over $1 billion after raising $110 million to build a data platform for developers.

CHEQ reached a $1 billion valuation after raising $150 million for its AI-powered cybersecurity service.

Securonix raised $1 billion for its cloud-based security analytics tools from Vista Equity Partners.

Voltron raised $110 million to develop standards for data and analytics based on the Apache Arrow project.

Around the enterprise

MongoDB launched a corporate venture capital division, a well trodden path for enterprise tech companies that have reached a certain size.

Slack went down for several hours as its U.S. users logged back in the morning after a holiday weekend.

U.S. Bank struck a three-year deal with Microsoft “to move most of its software applications to Microsoft’s Azure cloud,” according to American Banker.

Palo Alto Networks reported a 30% jump in revenue and beat Wall Street’s expectations for its second quarter.

A MESSAGE FROM CLARI

How do you maximize Sales and Marketing performance? Point them at the same targets. Watch the latest episode of Club Revenue on Nasdaq as Bhaskar Roy, Chief Marketing Officer at Workato, reveals his remarkable tactics so that Marketing and Sales can outperform.

Learn more

Thanks for reading — see you tomorrow!

Recent Issues

The frenemy store