We're excited to announce that BellSoft has adopted the Open Source Vulnerabilities (OSV) schema for reporting CVEs in Alpaquita Linux, Stream and LTS versions. Every vulnerability we identify there is now reported in a standardized format that will integrate seamlessly with the security tools developers rely on.
This move positions us alongside 25+ technology companies and open source projects in a unified effort to make open source software more secure and transparent for developers worldwide.
The Challenge: No Standard Format for Open Source Vulnerabilities
Before OSV, there was no existing standard format that could adequately address the unique challenges of open source vulnerability management. The problems were fundamental:
Imprecise Version Matching: Existing mechanisms like CPEs (Common Platform Enumerations) couldn't enforce version specifications that precisely match the naming and versioning schemes used in actual open source package ecosystems. Matching a CVE to a specific package name and set of versions in a package manager was nearly impossible to do reliably in an automated way.
Ecosystem Fragmentation: No format could describe vulnerabilities across all open source ecosystems without requiring ecosystem-dependent logic to process them. Each language, package manager, and distribution needed its own special handling.
Automation Barriers: Existing formats weren't designed to be easily consumed by both automated systems and humans, creating friction in security workflows and slowing down detection and remediation.
These limitations meant vulnerability databases, open source users, and security researchers couldn't easily share tooling or consume vulnerability data across the entire open source landscape. The result was fragmented security coverage and slower response times when vulnerabilities were discovered.
Enter OSV: The Standard for Vulnerability Data
The Open Source Vulnerabilities (OSV) schema emerged from Google's security team around 2021 to address these fundamental problems. Rather than forcing open source projects into rigid, centralized systems, OSV works with the concepts developers actually use daily—git commits, package versions, and ecosystem-specific identifiers.
OSV addresses these challenges through three key design principles:
Precise Version Matching: OSV enforces version specifications that exactly match the naming and versioning schemes used in actual package ecosystems, eliminating the guesswork in automated vulnerability detection.
Universal Ecosystem Support: A single format works across all open source ecosystems without requiring ecosystem-specific processing logic, enabling truly unified tooling.
Dual Accessibility: The schema is designed to be equally consumable by automated systems and human reviewers, streamlining both tooling integration and manual analysis.
This unified approach means vulnerability databases, open source users, and security researchers can finally share tooling and consume vulnerabilities across all of open source, creating more complete vulnerability coverage and faster detection and remediation times.
Industry Adoption: The New Standard
OSV has rapidly become the de facto standard for vulnerability data sharing in the open source community. GitHub's Security Advisory Database uses OSV as its foundation. Major language ecosystems including Python, Rust, and Go have embraced the format. Security tools like Dependabot and Snyk consume OSV data directly.
Linux distributions haven't been left behind either. Rocky Linux, AlmaLinux, SUSE, Debian, Ubuntu, and others have adopted OSV, recognizing its value for precise vulnerability communication. Popular security scanners like Trivy, Grype, and Syft are built to consume OSV data, ready to provide accurate security assessments when integrated with OSV-compatible sources.
BellSoft's OSV Implementation
BellSoft has maintained public Security Advisories for all our products, ensuring transparency in vulnerability disclosure. Our OSV adoption for Alpaquita Linux (both Stream and LTS distributions) builds on this foundation by adding machine-readable format support to our existing vulnerability reporting.
This enhancement makes analyzing vulnerability applicability to specific installations of our distributions significantly simpler and more transparent for our customers and users. All vulnerability data for Alpaquita Linux (both Stream and LTS distributions) now follows the OSV schema, including kernel-level vulnerabilities and user-space package vulnerabilities that might affect your deployments.
You can access this information in two ways: browse our Security Advisories directly on our website, or prepare for future integration with OSV-compatible security scanning tools. Our vulnerability data now lives in the broader OSV ecosystem—a centralized but community-driven database that's not proprietary to any single vendor.
When security scanners add support for BellSoft products, they'll follow a two-step process: first, they'll identify that you're using Alpaquita or Liberica in your environment. Second, armed with your exact version and component information, they'll query the OSV database to determine whether specific vulnerabilities are present or have been patched in your deployment.
Preparing for Seamless Security Integration
This standardization directly addresses the core problems that have plagued open source security. Teams will benefit from precise package matching that eliminates false positives, universal tooling that works across all ecosystems, and automated vulnerability detection that integrates seamlessly into existing workflows. No more manual cross-referencing between incompatible databases or dealing with ecosystem-specific security tools.
The standardized format means vulnerability information will reach developers wherever they need it, in tools they already trust and workflows they've already established.
Our Commitment to Open Source Security
"Security has always been at the heart of everything we build," notes Alexander Belokrylov, BellSoft's co-founder and CEO. "We believe in and love open source, but we also recognize that it can be vulnerable. That's precisely why we do everything possible to make it more transparent and secure. With Alpaquita now supporting the OSV schema, we're preparing for a developer experience that will be significantly easier. Everything they need will be in one place, accessible through tools they already trust."
Looking Forward: Building on This Foundation
OSV adoption for Alpaquita represents the first step in our enhanced security tooling strategy. We're planning to extend OSV support to Liberica JDK and Liberica NIK in future releases, creating a unified security reporting standard across our entire product portfolio.
We're working toward broader integration with security scanners, ensuring that when they add BellSoft product support, the experience will be seamless and reliable.
This continues our commitment to making security easy for our users while reinforcing our security-first approach. We don't leave security gaps unaddressed—we identify them, report them transparently through standardized channels, provide clear guidance on remediation, and deliver patches promptly.
By adopting OSV, we're not just following an industry trend—we're ensuring that our security efforts align with the tools and workflows our community depends on. It's another step in our ongoing commitment to making open source software more secure for everyone.
