The award recognizes CVE-2025-31484, a critical supply-chain issue discovered during 7ASecurity’s conda-forge audit.
7ASecurity is proud to share that Szymon Grzybowski has won OSTIF’s 2025 Bug of the Year Award. The winning issue was CVE-2025-31484, a critical supply-chain vulnerability identified during our conda-forge security audit. For us, this is meaningful recognition not only of one excellent finding, but also of the way 7ASecurity approaches complex security work.
According to OSTIF, the winner was selected after its directors reviewed the 16 Critical and High findings published across its 2025 audit releases. That context matters. This was not a popularity contest or a generic mention. It was a decision made from a pool of high-impact issues with real ecosystem consequences.
Why this recognition matters
At 7ASecurity, we believe the highest-value security work goes beyond surface-level scanning. The most damaging issues often live in the seams between source code, deployment workflows, trust boundaries, runtime behavior, and the broader supply chain. That is why our assessments emphasize manual, researcher-led testing, careful analysis of how systems actually operate, and clear communication with maintainers throughout the engagement.
CVE-2025-31484 is a strong example of that approach. The issue affected the conda-forge channel upload process and made it possible for a feedstock maintainer to upload a package to the conda-forge channel while bypassing the intended feedstock-token and upload workflow. In modern software ecosystems, weaknesses like this can have outsized downstream consequences, which is exactly why holistic review matters.
What it says about 7ASecurity
We take pride in delivering audits that focus on real risk, not noise. Our goal is to find the issues that matter, explain them clearly, help teams fix them efficiently, and verify the remediation. That combination of deep manual testing, practical reporting, and fix verification is a core part of how 7ASecurity works.
The award also highlights something we value as a firm: public-impact security work. When engagements are published, maintainers, funders, and users gain a clearer understanding of where risk existed and how it was addressed. That kind of transparency helps strengthen trust in the open source ecosystem and raises the standard for future security work.
A good outcome for the ecosystem
We also want to recognize the professionalism of everyone involved in handling the issue. High-impact vulnerabilities are only part of the story; the real outcome depends on how quickly and responsibly they are analyzed, remediated, and communicated. Strong security results come from both careful research and effective follow-through.
Congratulations again to Szymon on a well-deserved recognition, and thank you to OSTIF and the conda-forge maintainers for making impactful open source security work possible.
Read more
If you would like to learn more, the OSTIF award announcement is linked above. You can also read Conda-Forge Security Audit by 7ASecurity or browse Public reports and publications. If your team needs a security audit that goes beyond automated scanning and focuses on real-world attack paths, contact 7ASecurity.
