Logo
Overview
Hacktron Review for Open Source

Hacktron Review for Open Source

rootxharsh rootxharsh
zayne zayne
May 8, 2026
2 min read
news product open-source

Code is being written faster than ever. It’s also being attacked faster than ever.

Attackers are using AI agents to hunt vulnerabilities at scale, ship malicious dependencies into open source, and weaponize supply-chain footholds before maintainers even see the issue.

Six years ago, the median time-to-exploit of a vulnerability was 1.5 years. Today, that number is -18 hours. That means adversaries are exploiting vulnerabilities, on average, 18 hours before disclosure (CISA, VulnCheck).

Zero Day Clock

We want to change that.

Today we’re opening up Hacktron Review for Open Source: the same PR security reviewer we ship to commercial teams, free for qualifying open source projects. You get the same capabilities as our commercial customers on every PR opened by project maintainers.

What it looks like

Hacktron Review installs as a GitHub App and reviews every PR opened by project maintainers.

  • Inline PR comments: Findings are posted on the offending lines, with reproduction context.
  • Learns your codebase: Every triage comment your team leaves becomes training signal. Hacktron sharpens to your project’s threat model over time, with fewer false positives and more real bugs.
  • Auto-resolution: When a fix lands, Hacktron detects it and closes the finding.
  • Project-specific rules: Drop a .hacktron/rules.md in your repo to teach Hacktron your auth patterns, trusted sources, or code paths to ignore.

Why we’re doing this

We’ve spent the past few months using Hacktron to hunt 0-days in popular open source projects. For each finding, we replayed the offending PR through Hacktron Review to see if the bug could have been caught before merge.

It caught the criticals.

Giving maintainers the same capabilities as attackers would otherwise use against them feels like the right thing to do.

How to apply

If you maintain an open source project and want Hacktron Review on your PRs, head to hacktron.ai/open-source and submit your repo.

You’ll need to be an owner or admin who can install GitHub Apps. We’re currently prioritizing actively maintained projects with meaningful downstream usage. We’ll review your application and get you set up.