GDS Advises NHS to Keep Open Source Default After Vulnerability Backlash
The UK Government Digital Service (GDS) has published guidance on open code and vulnerability risk in the public sector, advising government bodies to remain 'open by default' and use closure 'sparingly and deliberately.' The May 14th publication is widely seen as a response to the NHS's decision to shut down its open source repositories following vulnerability disclosures under Project Glasswing. Blogger Terence Eden, who has been covering the NHS retreat, interprets the GDS intervention as a rare public escalation of internal civil service disagreement. The GDS paper does not name the NHS but recommends that making everything private adds costs and reduces reuse and scrutiny. Simon Willison linked to the story on May 17th, 2026.
Key facts
- GDS published guidance on open code and vulnerability risk on May 14th.
- The guidance recommends keeping open source repositories open by default.
- The NHS closed its open source repositories after Project Glasswing vulnerability reports.
- Terence Eden has been covering the NHS decision.
- Eden interprets the GDS paper as a major escalation within the civil service.
- The GDS paper does not explicitly mention the NHS.
- Simon Willison posted a link to the story on May 17th, 2026.
- The guidance states that closure should be used sparingly and deliberately.
Entities
Institutions
- Government Digital Service
- NHS
- Project Glasswing
Locations
- United Kingdom