Public source, not proprietary binaries
Every backpatch is developed in a public GitHub organization your engineers can audit before adoption. Long-term support providers ship binaries. Backpatch Alliance ships source.
Backpatch Alliance · Open Source Security
Canonical fixes for critical open source past end of support. Developed in public, signed by upstream maintainers, delivered as standard Maven artifacts you own.
Backpatch producer for
Piloted by 5 FINOS institutional members
Every backpatch is developed in a public GitHub organization your engineers can audit before adoption. Long-term support providers ship binaries. Backpatch Alliance ships source.
Where the upstream project accepts contributions, the canonical fix is offered back. Your patched version has a migration path when the project ships an official release.
Every backpatch is cherry-picked from a specific upstream commit and links back to it. Where the original library maintainers participate, their signatures appear on the commits themselves.
Major-version upgrade across every service that consumes the library, directly or transitively. Hundreds of repositories, dozens of teams. Coordination cost paid twice: once to ship, once to defer everything else.
Pay a vendor to backpatch, per library, per year. Fix locked in proprietary distribution. Your commercial relationship is with the vendor, not with the open source project. Posture depends on their next pricing decision.
Custom cherry-picks maintained by your team. Test coverage that survives API changes between versions. Real engineering-hours cost per library. Unsustainable across a portfolio of end-of-life dependencies.
Canonical fixes with public source, cherry-pick provenance to upstream, and commits signed by original library maintainers. Delivered on a severity-based SLA.
One member requests a backpatch. Every member has it. Pooled institutional demand feeds a single production line, so every backpatch that ships is accessible to every member of the Alliance. Cost and effort are shared; benefit is shared.
Every backpatch is developed in a public GitHub organization. Full commit history, authorship provenance, and links to the upstream commits being backported are visible for audit. Your security team can review the diff. Your dependency-review pipeline can inspect the source before adoption. No proprietary blob to trust on the vendor's assurances.
Where the upstream project accepts contributions, the canonical fix is offered back to the original maintainers. When the project ships an official release incorporating the fix, you have a clear migration path. Backpatch Alliance is a bridge, not a permanent parallel dependency tree.
Each backpatch cherry-picks from a specific upstream commit, with metadata linking back. A baseline git tag marks the starting version, so any auditor can diff the backpatch branch against a known upstream point. Original library maintainers signed the commits on all four launch backpatches. Provenance is git history, not marketing.
Moderne engineers backpatch the vulnerable framework at the exact upstream commit representing the customer's baseline. Fixes cherry-pick from later releases where they apply cleanly, and are rewritten where the API has diverged. Every backpatch preserves authorship provenance, links to upstream, and passes the framework's test suite. Additional regression tests are added where API divergence requires it. Source is developed publicly, with original library maintainers on the commits.
The patched artifact publishes to a Maven repository with a +backpatch.NNN version suffix. Your build system resolves it as a standard dependency. Proxy configuration unchanged. Scanners, SBOM tooling, and CI pipelines continue to operate against the same coordinates. OSERA members consume from the FINOS-hosted Sonatype Nexus. Direct Moderne customers consume from a Moderne-managed repository. The sources JAR publishes alongside the binary in both channels.
Customers consume the artifact through existing build tooling. Maven or Gradle resolves the backpatched coordinates as a standard dependency. Rollout follows the customer's change management process. Customers who also license Moderne Platform can apply the version update across every pom.xml, build.gradle, or dependency manifest in coordinated changesets, including direct and transitive references and multi-module version alignment for Spring Framework and Apache Camel.
Production-ready backpatches spanning application frameworks, networking, integration, cryptography, data formats, and JVM utilities — validated through the OSERA pilot and consumable today through your existing package infrastructure. Four featured here for range:
3.10.6.Final+backpatch.001
Network framework. Backpatch cherry-picked from main, tests rewritten against the older API.
5.3.39+backpatch.001
Application framework. All modules released self-referentially so versions align across the framework.
2.25.4+backpatch.001
Integration framework. Approximately 100 modules, stress-tested end to end during pilot.
1.47+backpatch.001
TLS and cryptography library. Original patched version was still in CVS. Migrated to Git and built on Ant to reach modern tooling.
Available to any enterprise under commercial contract. Backpatches delivered on a severity-based SLA. No FINOS membership required.
Talk to an ExpertFINOS institutional members can access Backpatch Alliance backpatches through the OSERA pilot. Contact membersuccess@finos.org or visit osera.finos.org for details.
Visit OSERABackpatch Alliance is Moderne’s commercial backpatching product. It produces canonical, upstream-first fixes for critical open source frameworks past their end-of-support date. Source is public in a dedicated GitHub organization, cherry-pick metadata links each backpatch to the upstream commit it was ported from, and original library maintainers signed the commits on the four launch backpatches. Delivered on a severity-based SLA.
Backpatch Alliance launches with production-ready backpatches for Netty (3.10.6.Final), Spring Framework (5.3.39), Apache Camel (2.25.4), and Bouncy Castle (1.47). Coverage expands based on Alliance member and customer requests.
Backpatched artifacts preserve the upstream group ID and artifact ID and add a +backpatch.NNN version suffix. A backpatched Spring Framework 5.3.39 publishes as org.springframework:spring-core:5.3.39+backpatch.001. Your build system resolves it identically to any other Maven artifact.
Backpatched artifacts publish to a Maven repository. OSERA delivery uses the FINOS-hosted Sonatype Nexus, accessible to member institutions. Direct Moderne delivery uses a Moderne-managed repository, accessible under commercial contract. Proxy configuration is unchanged or minimal. CI, SBOM tooling, and vulnerability scanners continue to operate against the same coordinates.
No. Backpatch Alliance is available standalone under commercial contract. Customers consume backpatched artifacts through their existing build tooling. Maven or Gradle resolves the coordinates as it would any other dependency. Customers who also license Moderne Platform can apply backpatches across every repository in their estate in a single coordinated operation using OpenRewrite recipes.
Yes. Every backpatch line has a dedicated public GitHub organization with full commit history, authorship provenance, and links to upstream commits. The sources JAR publishes alongside the binary in the Maven repository, so customers can inspect source through standard tooling without additional access. Built artifacts are delivered to paying customers through commercial contract.
Each backpatch passes the upstream project’s existing test suite, adapted where necessary for API differences between the vulnerable version and the fix’s original target. Where the upstream API has changed significantly (Netty is one such example in the launch coverage), tests are rewritten against the older API to preserve semantic equivalence. Additional regression tests are added where API divergence requires it.
Transitive dependencies pointing to a backpatched artifact resolve through your build tool’s normal dependency management. Customers on Moderne Platform can additionally use OpenRewrite recipes to update all references, direct and transitive, across every repository in a single operation.
Backpatches propagate through your existing build and deployment workflow. The artifact is a standard Maven dependency that resolves through your existing tooling. Customers on Moderne Platform can additionally use OpenRewrite recipes to apply the version update across every pom.xml, build.gradle, or dependency manifest in coordinated changesets. Multi-module frameworks like Spring Framework and Apache Camel have internal modules updated in coordinated changesets to maintain version alignment.
Backpatch Alliance is designed as a bridge to a supported upstream version. When you are ready to migrate, the same distribution mechanism carries you forward. Moderne Platform customers can use recipes to handle the migration from backpatched version to current upstream release.
Backpatches are maintained under commercial contract. They are designed as a managed bridge to a currently-supported version of the framework, not a permanent parking spot.
Yes. Each backpatch is delivered on an SLA based on the severity and priority of the vulnerability it addresses.
Proprietary long-term support providers deliver drop-in replacements as binaries. Their patches are typically distributed only under commercial contract, without public source access. Backpatch Alliance delivers canonical fixes as public source in an open GitHub organization, offers them back to the upstream project where viable, and publishes the sources JAR alongside every binary. Original library maintainers appear as signers on the commits. Backpatch Alliance is designed to keep enterprises portable and audit-ready.
Akrites is a Linux Foundation initiative that coordinates disclosure and upstream fixes for vulnerabilities in maintained open source projects. Backpatch Alliance is Moderne’s commercial product that backpatches vulnerabilities in end-of-life versions that upstream projects no longer support. The two efforts complement each other. Akrites handles active projects. Backpatch Alliance handles the versions your business still depends on but the upstream can’t fix.
OSERA is a FINOS-governed alliance for financial services firms to mutualize the cost of backpatching shared dependencies. Backpatch Alliance is the underlying capability that produces those backpatches. FINOS institutional members access Backpatch Alliance through OSERA. Any other enterprise accesses it directly from Moderne.
Backpatch Alliance is available today. Talk to a Moderne expert about coverage priorities, SLA requirements, and integration with your existing package infrastructure.