About Us
We are the creators of
Minefield,
an ultra fast SBOM graphing tool that outstrips other SBOM graphers by orders of magnitude. We built this to graph out relationships between projects and dependencies, to find transitive vulnerabilities fast and effectively.
We are also leading contributors and maintainers to critical open source security projects, including
OpenSSF Scorecard,
Criticality Score,
GUAC,
gittuf, and
Sigstore.
We have given talks on software security at RSA, DEF CON, and many Linux Foundation conferences. We have also received three Google Peer Bonus awards for our impact on the security ecosystem.
Why Did We Start Bomfather?
We love writing security tools, but no solution in runtime security met the standards we wanted.
What we saw was:
- - Runtime security was insecure.
You could run eBPF security solutions, but all existing ones are
vulnerable to policy manipulation
and
can be shut down by malicious actors.
You could try running a kernel module, but if there's even one bug in that kernel module, your kernel crashes. And userspace security solutions can't be trusted, since they don't run in the kernel, rendering them obsolete.
- - Runtime security was hard to use, like really hard.
The configs were obscure and pages long. Think about it, how many people actually run a runtime security solution on their servers, and even if they do, how many implement meaningful policies that actually protect their systems? Not many, since whenever workflows change, those page-long configs need to be rewritten (configs that nobody understands, or wants to touch)
We couldn't find any runtime security solutions that solved these problems, so Bomfather was born…