Persistent Systems aims to establish a world where every open source vulnerability has a service level agreement (SLA), so that enterprises can secure themselves against malevolent attacks without having to wait for community-driven fixes. OSFY’s Yashasvini Razdan spoke to Nitish Shrivastava, SVP and Head of Products Business at Persistent Systems, about the company’s mission to enhance open source security.
Q. Could you provide an overview of Persistent Systems’ work in open source?
A. At Persistent, we recognise the significance of open source, both as contributors and consumers. Over the last few years, we have launched several solutions to enhance open source security. We have developed a green open source repository, which serves as an alternative for our customers. This ensures that they receive immediate fixes in compatible versions, helping them integrate updates seamlessly into their products.
Our Centre of Excellence (COE) for open source focuses on securing the entire open source supply chain. We have developed our own technology stack while also partnering with premium agencies. Our work includes identifying vulnerabilities, determining necessary paths for remediation, providing actual fixes, and making them available to the community. This ensures that enterprises receive timely solutions, keeping their systems secure.
We also offer a free service called Open Source Hub, available on our website. This allows developers to link their products and gain insights into potential vulnerabilities and remediation paths. The remediation process could involve applying an available fix, upgrading to a more secure version, or, if no solution exists, receiving a custom fix from us.
One of our key initiatives is DEVSource, a developer community designed to address security vulnerabilities in open source. We use generative artificial intelligence (AI) to automate code fixes, reducing the time required to resolve security issues with our proprietary platform SASVA.
Q. How do you ensure security in open source software?
A. We provide all the critical elements needed for managing open source security, including a software bill of materials (SBOM), which tracks dependencies down to multiple levels. We find vulnerabilities, plan a remediation strategy, and fix issues—automating the entire process. What previously took companies up to two years, such as upgrading an appliance, can now be completed within a month. We also assess the geographical origins of open source components. Companies may need to evaluate potential security considerations based on the origin of components, in line with their standard risk management and compliance processes.
Q. How does providing vulnerability support generate revenue? In essence, what is your business model?
A. There are thousands of open source projects, and when vulnerabilities are discovered, our open source crew is among the first to provide fixes. These fixes are contributed back to the open source community and also made available in our green open source repository.
If you are a paying customer, you receive a timely fix in your specific version. For everyone else, the fix is freely available in the latest version through our alternative green open source repository. Anyone can download and use it, but paying customers receive version-specific patches. This is our business model. Customers who pay get the fix within 24 hours depending on the SLA and their agreement with us, while those who do not pay receive it whenever the open source community integrates the update.
Q. What role does the green open source repository play here? Does it only contain components provided by Persistent Systems, or do other external contributors also contribute to it?
A. Right now, we control the repository because it is tied to our service commitments and paying customers. However, we are expanding participation to build a developer community that allows anyone to contribute.
Developers using our SASVA platform will be able to create and publish fixes to this repository. We are actively contributing fixes to thousands of open source projects, and these fixes are automatically added to the green open source repository. Eventually, we aim to make this a primary repository, serving as an alternative for enterprises. If customers download software from our repository, they will always have the most up-to-date and secure version.
We will continue maintaining these repositories, ensuring if the community releases a fix, we provide it. If the community adds new features, we incorporate them. If there is a vulnerability or security risk, we fix it first, even before the community does.
Q. Red Hat, which is now part of IBM, used to offer a subscription model where subscribers would receive fixes for any vulnerabilities under a service level agreement (SLA). How does your approach compare to that, especially for open source software that does not have an SLA?
A. We are unique as we not only fix open source vulnerabilities but also contribute those fixes back to the open source community and roll them out in an automated manner.
Many companies focus on identifying vulnerabilities and planning fixes, but in the open source world, vulnerabilities are discovered at a much faster rate than they are fixed, creating a significant security gap. We are working to bridge that gap by accelerating the remediation process. Our service benefits both customers and the global open source community. Our green open source repository is available to everyone, mostly for free. The only service we charge for is the SLA-based option—if a customer requires a fix within 24 hours, they pay for it. Otherwise, they can wait a few days for the fix to be publicly available.
Our vision is to use our home-built AI platform to maintain open source branches, provide rapid fixes, and keep critical products secure under a defined SLA. We act as an insurance policy for companies that build critical applications using open source, strengthening open source adoption across industries.
Q. Can you tell us more about how you utilise AI to detect vulnerabilities and provide fixes?
A. Detecting vulnerabilities is relatively easy as they are publicly disclosed—you can check the Common Vulnerabilities and Exposures (CVE) database, identify an issue, and inspect the affected code. The fixing part, however, is very complex where our SASVA platform comes into play. It links to any repository, and with a specific description of the issue, our AI-driven agent workflow analyses the entire repository to generate a fix. It produces a binary that meets Supply-chain Levels for Software Artifacts (SLSA) compliance and other open source testing standards. It delivers a final pull request to the open source community—within hours. We have already processed fixes for the top 100 open source repositories, covering issues from the last six months. Now, we are scaling this capability to 10,000+ open source repositories worldwide. Our goal is to identify and fix vulnerabilities in real time.
Q. What makes SASVA different from any other platform?
A. Today, models have context-size constraints, but we have developed patented technology (over 35+ patents, with nearly 50 patents in progress) to bypass these context limitations. For example, Google Gemini has a 1-million-token context, while OpenAI models have 128KB (with newer models having context windows up to 1 million tokens). However, repositories can be as large as 15GB or 20GB. SASVA can scan and process entire repositories.
We have built SASVA entirely on an open source stack. Our training methodology ensures that our models remain adaptable to future AI advancements. SASVA understands the design patterns, frameworks, and code structures of open source projects. It runs on-premise, ensuring that data privacy is maintained. The platform is optimised for low-cost infrastructure. Our models can run on CPUs, GPUs, or even minimal hardware. This keeps hosting costs low, making it affordable and scalable for enterprises.
Q. Who is your target customer?
A. Our customers fall into several categories including large cloud providers, small and mid-sized enterprises, and major corporations developing their own applications.
One of the largest cloud hyperscalers relies on our solutions across all their cloud services. They require a strict SLA of 24 hours for security fixes. If a vulnerability similar to Log4j were to arise, they would receive a fix from us through their alternative green source, enabling them to provide timely solutions to their users. This is a B2B customer.
Another set of customers consists of enterprises that consume open source. Many companies, including those manufacturing routers, VPNs, or enterprise applications such as digital banking software, depend on our services to keep their open source stacks secure and up-to-date.
Q. Which industries are your key focus areas?
A. Any industry with governance boundaries or sensitive data is a key focus for us. These include the healthcare, cloud services, BFSI (banking, financial services, and insurance), government and regulatory-driven industries, and the embedded systems industry. Embedded systems are a prime market for us because they handle sensitive data and require extensive efforts to upgrade or fix open source components. The process is complex due to dependencies across appliances, operating system kernels, third-party libraries, open source components, and proprietary products, creating an intricate lineage.
Q. How do you see the Indian market evolving in this space?
A. Historically, India has been more of a development hub, serving as an IT or engineering arm for global companies building products, but that is changing. The Indian government has introduced guidelines similar to those in the United States. One key regulation is SBOM, which mandates that companies selling to the government of India must disclose the composition of their products while ensuring they meet security standards.
We have significant engagements with such companies in the field of cybersecurity. As a result, we are not just developing solutions in India—we are also selling them here to private entities providing services to the government agencies and financial institutions.
Q.How are you incentivising the open source developer community to expand?
A. Right now, we do not offer monetary incentives, as the focus is on recognition, engagement, and professional growth.
Our vision for this community is similar to how Expert Exchange operated in the past—it was a paid platform because people received timely help. Now, we are applying this model to open source issues. Whenever new open source challenges arise, they are posted to our developer group, and members use our platform to accelerate fixes. Multiple developers can submit solutions, and if a fix is accepted by the community, the contributor receives recognition and rewards. This includes star ratings, badges, and other incentives to encourage participation.
Our goal is to engage the Indian developer community, as this presents a huge opportunity for India, and bring Indian developers into the global open source security landscape. Given that 85% of third-party products rely on open source, India’s contribution to securing this ecosystem is very critical.
