Hi! I'm an Open Source evangelist and Maker, working at
Red Hat and
with OpenSSL and Apache to
improve software security. I also work on various
software and hardware projects, I cosplay at various events
around the world, and I'm probably
listening to A State of Trance
Articles and talks...
Community-led Security at ASF Video Oct 2021
Our CVE Story: An Open-Source, Community-Based Example 13 Apr 2021
Apache Security Risk Report: 2020 25 Jan 2021
Apache Security Risk Report: 2019 31 Jan 2020
Red Hat Product Security Risk Report: 2016 7 Mar 2017
Happy 15th Birthday Red Hat Product Security 17 Oct 2016
Red Hat Product Security Risk Report: 2015 21 Apr 2016
Go home SSLv2, you're DROWNing 01 Mar 2016
Don't judge the risk by the logo 8 Apr 2015
- Enterprise Linux 6 Risk Reports: 6.5 to 6.6 (Nov 2014),
6.4 to 6.5 (Nov 2013),
6.3 to 6.4 (Feb 2013),
6.2 to 6.3 (Oct 2012),
6.1 to 6.2 (Dec 2011),
6.0 to 6.1 (May 2011)
- Enterprise Linux 5 Risk Reports: 5.8 to 5.9 (Jan 2013),
5.7 to 5.8 (Sept 2012),
5.6 to 5.7 (Jul 2011),
5.5 to 5.6 (Jan 2011),
5.4 to 5.5 (Apr 2010),
5.3 to 5.4 (Sep 2009),
5.2 to 5.3 (Jan 2009),
5.1 to 5.2 (May 2008),
5.0 to 5.1 (Nov 2007)
- Enterprise Linux 4 Risk Reports: Six years (Aug 2011, PDF),
Three years (Feb 2008),
Two years (Apr 2007),
One year (Mar 2006)
Things you might find on a CV...
- In 1988 attended the University of Bradford doing a degree in Electronics, Communications, and Computer Systems
during which time
authored various popular Freeware/Shareware
software including ResPlay, ModObj, ModRes, ModEdit, ModPlay, Play, and
was radio station manager of Radio Ramair.
In 1992 started a PhD on
the internet control of a Robotic Telescope.
Initially using an interactive gopher server, but switching to the NCSA web server
in October 1993, and then to Apache.
In April 1995 joined the core development team of Apache, finding and fixing
security issues and writing modules such as mod_status. I became a founding
member of the Apache Software Foundation, and currently serve as VP, Security.
In 1996 joined UK Web as
technical director working on many projects including co-writing the focus
interactive Teletext and internet games for BSkyB, and
founded the Apache Week publication.
In 1997 founded and managed C2Net Europe, designing and
developing Stronghold, a secure
web server based on Apache. Contributed
to various open source projects including mod_ssl and co-founded
the OpenSSL project.
In 2000, C2Net merged with Red Hat and I founded the Red Hat Product Security
team which I led until 2018. Since 2002 I have been an editorial board member of the Mitre CVE project and run the Candidate Naming Authorities
for OpenSSL and Apache.
In 2018 moved to the Open Source Program Office in Red Hat where I continue to work on OpenSSL, Apache, OpenSSF, CVE.