Backpatch Alliance · Open Source Security

Backpatching you can audit

Canonical fixes for critical open source past end of support. Developed in public, signed by upstream maintainers, delivered as standard Maven artifacts you own.

Backpatch producer for

Piloted by 5 FINOS institutional members

How Backpatch Alliance is different from proprietary long-term support

Public source, not proprietary binaries

Every backpatch is developed in a public GitHub organization your engineers can audit before adoption. Long-term support providers ship binaries. Backpatch Alliance ships source.

Upstream first, not a permanent fork

Where the upstream project accepts contributions, the canonical fix is offered back. Your patched version has a migration path when the project ships an official release.

Verifiable provenance, not vendor assurances

Every backpatch is cherry-picked from a specific upstream commit and links back to it. Where the original library maintainers participate, their signatures appear on the commits themselves.

When the next critical CVE lands, which option will you choose?

Security risk

Emergency migration at scale

Major-version upgrade across every service that consumes the library, directly or transitively. Hundreds of repositories, dozens of teams. Coordination cost paid twice: once to ship, once to defer everything else.

Time to attack < 24h From CVE disclosure to active exploitation in production, measured now in hours not weeks
Expensive

Commercial extended support

Pay a vendor to backpatch, per library, per year. Fix locked in proprietary distribution. Your commercial relationship is with the vendor, not with the open source project. Posture depends on their next pricing decision.

Coverage gap ~80% Of open source dependencies sit unmanaged and outdated in production estates
Slow

In-house backpatching

Custom cherry-picks maintained by your team. Test coverage that survives API changes between versions. Real engineering-hours cost per library. Unsustainable across a portfolio of end-of-life dependencies.

Patch throughput Under 5% Of validated vulnerabilities surfaced in recent months have been patched

Backpatch Alliance

Canonical fixes with public source, cherry-pick provenance to upstream, and commits signed by original library maintainers. Delivered on a severity-based SLA.

The Backpatch Alliance approach

Shared production, shared benefit

One member requests a backpatch. Every member has it. Pooled institutional demand feeds a single production line, so every backpatch that ships is accessible to every member of the Alliance. Cost and effort are shared; benefit is shared.

Public source, auditable by your engineers

Every backpatch is developed in a public GitHub organization. Full commit history, authorship provenance, and links to the upstream commits being backported are visible for audit. Your security team can review the diff. Your dependency-review pipeline can inspect the source before adoption. No proprietary blob to trust on the vendor's assurances.

Upstream first, no permanent fork burden

Where the upstream project accepts contributions, the canonical fix is offered back to the original maintainers. When the project ships an official release incorporating the fix, you have a clear migration path. Backpatch Alliance is a bridge, not a permanent parallel dependency tree.

Verifiable provenance, signed into the commit history

Each backpatch cherry-picks from a specific upstream commit, with metadata linking back. A baseline git tag marks the starting version, so any auditor can diff the backpatch branch against a known upstream point. Original library maintainers signed the commits on all four launch backpatches. Provenance is git history, not marketing.

How Backpatch Alliance works

Production

Moderne engineers backpatch the vulnerable framework at the exact upstream commit representing the customer's baseline. Fixes cherry-pick from later releases where they apply cleanly, and are rewritten where the API has diverged. Every backpatch preserves authorship provenance, links to upstream, and passes the framework's test suite. Additional regression tests are added where API divergence requires it. Source is developed publicly, with original library maintainers on the commits.

Distribution

The patched artifact publishes to a Maven repository with a +backpatch.NNN version suffix. Your build system resolves it as a standard dependency. Proxy configuration unchanged. Scanners, SBOM tooling, and CI pipelines continue to operate against the same coordinates. OSERA members consume from the FINOS-hosted Sonatype Nexus. Direct Moderne customers consume from a Moderne-managed repository. The sources JAR publishes alongside the binary in both channels.

Application

Customers consume the artifact through existing build tooling. Maven or Gradle resolves the backpatched coordinates as a standard dependency. Rollout follows the customer's change management process. Customers who also license Moderne Platform can apply the version update across every pom.xml, build.gradle, or dependency manifest in coordinated changesets, including direct and transitive references and multi-module version alignment for Spring Framework and Apache Camel.

50+ backpatches available today

Production-ready backpatches spanning application frameworks, networking, integration, cryptography, data formats, and JVM utilities — validated through the OSERA pilot and consumable today through your existing package infrastructure. Four featured here for range:

Netty

3.10.6.Final+backpatch.001

Network framework. Backpatch cherry-picked from main, tests rewritten against the older API.

Spring Framework

5.3.39+backpatch.001

Application framework. All modules released self-referentially so versions align across the framework.

Apache Camel

2.25.4+backpatch.001

Integration framework. Approximately 100 modules, stress-tested end to end during pilot.

Bouncy Castle

1.47+backpatch.001

TLS and cryptography library. Original patched version was still in CVS. Migrated to Git and built on Ant to reach modern tooling.

Two ways to participate

Purchase directly from Moderne

Available to any enterprise under commercial contract. Backpatches delivered on a severity-based SLA. No FINOS membership required.

Talk to an Expert

Frequently asked questions

What is Backpatch Alliance?

Backpatch Alliance is Moderne’s commercial backpatching product. It produces canonical, upstream-first fixes for critical open source frameworks past their end-of-support date. Source is public in a dedicated GitHub organization, cherry-pick metadata links each backpatch to the upstream commit it was ported from, and original library maintainers signed the commits on the four launch backpatches. Delivered on a severity-based SLA.

Which open source frameworks does Backpatch Alliance cover?

Backpatch Alliance launches with production-ready backpatches for Netty (3.10.6.Final), Spring Framework (5.3.39), Apache Camel (2.25.4), and Bouncy Castle (1.47). Coverage expands based on Alliance member and customer requests.

What are the artifact coordinates?

Backpatched artifacts preserve the upstream group ID and artifact ID and add a +backpatch.NNN version suffix. A backpatched Spring Framework 5.3.39 publishes as org.springframework:spring-core:5.3.39+backpatch.001. Your build system resolves it identically to any other Maven artifact.

How is the backpatched version distributed to my build system?

Backpatched artifacts publish to a Maven repository. OSERA delivery uses the FINOS-hosted Sonatype Nexus, accessible to member institutions. Direct Moderne delivery uses a Moderne-managed repository, accessible under commercial contract. Proxy configuration is unchanged or minimal. CI, SBOM tooling, and vulnerability scanners continue to operate against the same coordinates.

Does Backpatch Alliance require Moderne Platform?

No. Backpatch Alliance is available standalone under commercial contract. Customers consume backpatched artifacts through their existing build tooling. Maven or Gradle resolves the coordinates as it would any other dependency. Customers who also license Moderne Platform can apply backpatches across every repository in their estate in a single coordinated operation using OpenRewrite recipes.

Can I audit the source of a backpatch?

Yes. Every backpatch line has a dedicated public GitHub organization with full commit history, authorship provenance, and links to upstream commits. The sources JAR publishes alongside the binary in the Maven repository, so customers can inspect source through standard tooling without additional access. Built artifacts are delivered to paying customers through commercial contract.

What is the test coverage on a backpatch?

Each backpatch passes the upstream project’s existing test suite, adapted where necessary for API differences between the vulnerable version and the fix’s original target. Where the upstream API has changed significantly (Netty is one such example in the launch coverage), tests are rewritten against the older API to preserve semantic equivalence. Additional regression tests are added where API divergence requires it.

How does Backpatch Alliance handle transitive dependencies?

Transitive dependencies pointing to a backpatched artifact resolve through your build tool’s normal dependency management. Customers on Moderne Platform can additionally use OpenRewrite recipes to update all references, direct and transitive, across every repository in a single operation.

How does a backpatch propagate through my repository estate?

Backpatches propagate through your existing build and deployment workflow. The artifact is a standard Maven dependency that resolves through your existing tooling. Customers on Moderne Platform can additionally use OpenRewrite recipes to apply the version update across every pom.xml, build.gradle, or dependency manifest in coordinated changesets. Multi-module frameworks like Spring Framework and Apache Camel have internal modules updated in coordinated changesets to maintain version alignment.

What happens when the upstream project ships a supported version I can migrate to?

Backpatch Alliance is designed as a bridge to a supported upstream version. When you are ready to migrate, the same distribution mechanism carries you forward. Moderne Platform customers can use recipes to handle the migration from backpatched version to current upstream release.

Are backpatches maintained indefinitely?

Backpatches are maintained under commercial contract. They are designed as a managed bridge to a currently-supported version of the framework, not a permanent parking spot.

Are backpatches delivered on a service-level agreement?

Yes. Each backpatch is delivered on an SLA based on the severity and priority of the vulnerability it addresses.

How is Backpatch Alliance different from other long-term support services?

Proprietary long-term support providers deliver drop-in replacements as binaries. Their patches are typically distributed only under commercial contract, without public source access. Backpatch Alliance delivers canonical fixes as public source in an open GitHub organization, offers them back to the upstream project where viable, and publishes the sources JAR alongside every binary. Original library maintainers appear as signers on the commits. Backpatch Alliance is designed to keep enterprises portable and audit-ready.

How is Backpatch Alliance different from Akrites?

Akrites is a Linux Foundation initiative that coordinates disclosure and upstream fixes for vulnerabilities in maintained open source projects. Backpatch Alliance is Moderne’s commercial product that backpatches vulnerabilities in end-of-life versions that upstream projects no longer support. The two efforts complement each other. Akrites handles active projects. Backpatch Alliance handles the versions your business still depends on but the upstream can’t fix.

How is Backpatch Alliance related to OSERA?

OSERA is a FINOS-governed alliance for financial services firms to mutualize the cost of backpatching shared dependencies. Backpatch Alliance is the underlying capability that produces those backpatches. FINOS institutional members access Backpatch Alliance through OSERA. Any other enterprise accesses it directly from Moderne.

Sources

  1. Sonatype and industry observation, 2026. The compression of the time from CVE disclosure to weaponization is a widely-cited observation across the security industry as of the AI-accelerated vulnerability discovery cycle beginning in early 2026.
  2. Sonatype, State of the Software Supply Chain. The finding that approximately 80% of open source dependencies sit unmanaged and outdated in enterprise production estates is drawn from Sonatype's annual industry report, cited on osera.finos.org.
  3. Endor Labs, cited in the Linux Foundation's Akrites launch, June 2026. Endor Labs CEO Varun Badhwar's statement that fewer than 5% of validated open source vulnerabilities surfaced in recent months have been patched appears in the Akrites founding announcement.

Backpatch what upstream can't.

Backpatch Alliance is available today. Talk to a Moderne expert about coverage priorities, SLA requirements, and integration with your existing package infrastructure.