New guidance published on GOV.UK – AI, open code and vulnerability risk in the public sector:

User research suggests that the primary driver of exploitation risk is the presence of weaknesses in systems – including unpatched vulnerabilities, insecure implementation, and unsafe configuration or deployment – and the inability to remediate them quickly. Publishing source code does not create those weaknesses, but it can modestly reduce attacker uncertainty and speed up analysis (an effect that may increase with AI assistance), especially where maintenance is weak and fixes are slow. This guidance reinforces the minimum operational capability already assumed for safely operating publicly-accessible services.