On June 11, The Hacker News named the ActiveState Curated Catalog the Best Open Source Security Platform at its 2026 Cybersecurity Stars Awards. Across more than 90 subcategories spanning DevSecOps, application security posture management, security operations, threat intelligence, and automated pentesting, open source software security stood as its own named category, and ActiveState is the solution recognized in it. The award reflects something more specific than a strong product, which is how far upstream ActiveState governs open source software before it ever reaches your build.
In announcing the award, The Hacker News connected the recognition to the change in how software is now built:
"We congratulate ActiveState on winning the Best Open Source Security Platform award in the 2026 Cybersecurity Stars Awards. ActiveState helps development teams manage open source software by curating a private catalog of vetted components that developers and AI coding assistants can pull from instead of unvetted public registries. Their approach recognizes a real shift in how code gets written today, and we appreciate their work to help teams keep pace with that change."
Most organizations consume open source the same way, where a developer or an automated tool requests a package, a public registry serves whatever version resolves, and the component enters the build without anyone deliberately deciding it belonged there, even though the accountability for what ships still sits with your security team. The security posture of a component is largely set long before a scanner ever examines it, in how it was built, where its source came from, and who is accountable for rebuilding it when the next fix lands, and governing at that level is the position ActiveState was built to occupy.
What the Award Recognized: Governing Open Source at the Source
The approach The Hacker News credited is a decision about where in the software lifecycle the security work happens. Most open source security tooling works by examining components that already exist, identifying known vulnerabilities in packages pulled from public registries, and leaving your team to decide what to do about each finding, which is genuinely useful and still operates one step removed from where the risk originates. ActiveState works at the level of the source itself, rebuilding every component inside SLSA Level 3 infrastructure so that the provenance of each artifact is established at build time rather than inferred afterward, and so that the same pipeline that produced a component is the one that builds and publishes it when a community-approved fix becomes available.
That control over the full path from source to built artifact to remediation is the depth the award recognizes, and it is the part that is difficult to replicate. A capability like this is hard to assemble after the fact by stitching together scanners and registries that were never designed to produce components in the first place, which is what separates governing open source at the source from inspecting it once it has already arrived.
The Numbers Behind the Recognition
The Cybersecurity Stars Awards judge entries on innovation, impact, and technical excellence, and the figures behind ActiveState's recognition speak most directly to impact, describing what governing at the source produces in practice rather than in principle.
Components governed through the catalog carry 95% fewer CVEs than the same open source components pulled from a public registry, and the mean time to remediate drops by 90%. Critical CVEs are remediated within 5 business days, and high-severity CVEs within 10 business days, on a contractual basis rather than a best-effort basis. Underpinning all of it is a library of 79 million built-from-source components across 12 language ecosystems, which is a breadth that comes from years of building components at the source rather than cataloging what others have published, and the catalog works with the artifact repositories and package managers your team already uses, including JFrog Artifactory, Sonatype Nexus, GitHub Packages, and AWS CodeArtifact.
Because the catalog becomes a single upstream source in much the way a private registry already is, none of this requires your developers to learn a new tool or your platform team to rebuild a pipeline. What changes is the provenance you can rely on, since you know what each component is, where it came from, and who is accountable for remediating it before the next CVE drops.
What This Gives the Team That Owns the Risk
An award from a security publication is one kind of signal, and the one that carries more weight for the team holding the accountability is what changes when something goes wrong. Open source now appears in 98% of applications, which makes it something your organization cannot opt out of, and the question that follows a breach is rarely whether the code was open source so much as whether you exercised reasonable control over what entered your environment and whether you can prove that you did.
This is where governing at the source pays off for the team that carries the accountability, because every component built through the catalog carries an immutable record of its provenance and remediation history that holds up when a regulator, auditor, or board asks what you knew and when. That record stands in contrast to a point-in-time SBOM that may have been accurate the week it was filed and materially incomplete by the following sprint, and the personal liability that comes with the role does not soften simply because a component arrived through automation. The depth of the underlying record is ultimately what protects the organization and you when the question arrives.
Where Open Source Governance Goes From Here
This award is a snapshot of a moment, and the trend it marks is the part that carries forward, as governance moves away from being a process applied to components after they exist and toward being a property of how those components are produced in the first place. The teams that get ahead will consume open source from a source that was governed at the point it was built, while the ones that wait will keep reconciling findings from tools that can describe risk without being able to remove it at the origin.
AI-assisted development raises the stakes by increasing how much open source enters the build and how quickly, which makes the depth of the underlying governance matter more, not less. That is the position the ActiveState Curated Catalog was built to hold.
If you want to see what governing open source at the source looks like in a working environment, watch the demo of the ActiveState Curated Catalog, and then take a look at how the components in your own build are being produced today, and ask who stands behind the last one that shipped.