FSFE has criticised NHS England’s reported plan to make public code repositories private over AI-driven vulnerability concerns, warning that the move weakens open-source transparency and collaborative cybersecurity.
The Free Software Foundation Europe (FSFE) has warned that NHS England’s reported plan to switch most public source-code repositories to “private” threatens open-source principles and weakens cybersecurity transparency.
Reports indicate the move is linked to concerns that publicly accessible repositories could be scanned for vulnerabilities using Artificial Intelligence. An internal NHS policy titled “SDLC-8” reportedly requires publicly accessible repositories to be made private unless an explicit exception is granted.
FSFE argued that depublishing repositories does not prevent attackers from analysing already deployed systems, dependencies, interfaces, binary files, or previously copied source code. Instead, the organisation said the move removes a critical layer of independent public scrutiny and collaborative vulnerability discovery.
“Depublishing public code is not a security strategy. ‘Security through obscurity’ has been debunked as a security measure for a long time. Making repositories private does not protect NHS systems. It only limits who can help find and resolve problems,” said Johannes Näder, Senior Policy Project Manager at FSFE.
According to FSFE, open repositories enable independent IT experts, security researchers, and public institutions to inspect, improve, reuse, and report vulnerabilities in software.
NHS England told The Register the measure is temporary and intended to strengthen cybersecurity while assessing the impact of rapid AI-model developments. The organisation reportedly said source code would continue to be published where there is a clear need.
FSFE reiterated that software funded by public money should remain free and openly reusable, urging NHS England to withdraw policies treating source code as private by default.
