from Hacker News

Show HN: SecureBuild – Zero-CVE Images That Pay OSS Projects

by grantlmiller on 6/20/25, 3:04 PM with 17 comments

We're launching SecureBuild: https://securebuild.com — a new way for open source projects and maintainers to earn revenue by partnering with and endorsing our Zero-CVE container images of their project.

We’ve spent the last decade at Replicated (https://news.ycombinator.com/item?id=9841243) helping commercial and open source software vendors securely distribute their apps to enterprise environments. During that time, we saw firsthand how hard it is for maintainers to fund their work, and how increasingly demanding enterprises have become when it comes to demonstrable security and scanning.

SecureBuild is our attempt to bridge that gap. Built on top of Wolfi (https://news.ycombinator.com/item?id=36489847), we provide Zero-CVE container images with tight SLAs, full SBOMs, etc, but we route 70% of direct subscription revenue back to the open source projects that create them.

We’re especially interested in partnering with open source maintainers who want to make their projects more secure and sustainable without changing licenses. We handle builds, hosting, sales, patching, and customer delivery.

I'm Grant (https://news.ycombinator.com/user?id=grantmiller), co-founder of Replicated & co-creator of SecureBuild, working with my co-founder Marc Campbell (https://news.ycombinator.com/user?id=marcc). We hope this can be part of a broader push toward a more secure, economically sustainable future for open source.

Happy to answer questions and share more details!

  • by jenny91 on 6/20/25, 6:43 PM

    The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.

  • by westwater on 6/21/25, 8:05 PM

    What's the process to add new images?

    I assume this is limited to CVEs in the underlying layers, and adding in the latest of the primary package. Given that how/are you testing the images after you fix the CVEs?

  • by cube00 on 6/20/25, 5:45 PM

    > New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.

    Aren't most SecOps pushing 48 hours as the absolute limit for critical vulns or are ours just being extra pushy?

  • by sheepybloke on 6/24/25, 2:13 AM

    How does this compare with something like IronBank? Looks like that could be a great partnership!

  • by siggy on 6/20/25, 4:47 PM

    thanks for sharing. what's the onboarding process look like? if i'm maintaining my own Dockerfiles today, do you or I evaluate and port those to SecureBuild/Wolfi?

  • by dhorthy on 6/20/25, 4:22 PM

    this looks cool - your homepage video should open with what it is though!