SandboxAQ has launched Open Cryptography, a free public resource for researchers, security professionals, and developers to discover and understand cryptographic risks across the Internet and the public software supply chain.
Open Cryptography is an intelligently curated and searchable resource of cryptographic assets and vulnerabilities, built with the expertise of the Cybersecurity unit at SandboxAQ and powered by AQtive Guard. It provides detailed information from public software artifacts, starting with the most popular Docker Hub images, to help users gauge the severity of weaknesses and take appropriate action.
Unveiling Open Cryptography, free to the public, reinforces SandboxAQ’s commitment to democratizing access to known critical cryptographic issues and supporting the broader mission of strengthening global resilience against cryptographic threats.
The Open Cryptography interface enables users to easily search and explore public software artifacts for cryptographic assets and risks. The dashboard highlights recently analyzed artifacts and allows users to drill down by issue type or severity.
The Methodology: Scanning Cryptographic Assets
The first step in building Open Cryptography is to source extensive information from Docker hub images to systematically deconstruct a detailed inventory of cryptographic components, including:
Then, AQtive Guard Discovery’s engine is deployed on these Docker images to scan for and catalog assets and weaknesses. These findings are stamped with granular metadata including version numbers, severity ratings, and recommended remediation steps. The result is a detailed map of cryptographic assets and potential weaknesses, viewable under the Inventory and Issues tabs, as illustrated below.
In the Open Cryptography dashboard, issues are color-coded by severity to help users quickly assess potential risk.
These labels are intended to be part of a thorough diagnosis of cryptographic health and should not be interpreted in isolation. For instance, a summary might show 106 objects tagged with “Critical or High severity issues,” while clarification below reveals that only 10 of those were deemed to carry material risk after a data enrichment process.
Beyond severity labels, each weakness in the Issues tab can be expanded by clicking Learn more. This reveals a short report on what triggered the issue, its severity, and prospective remediation strategies. Since many viewers of Open Cryptography are consumers of these public artifacts without the agency to make changes themselves, a For Consumers of this artifact section suggests the next steps. A For project maintainers section follows, directing those with the ability to rectify the weaknesses.
The vulnerabilities catalogued include certain issues like weak cryptographic primitives, insufficient key sizes, etc. that are distinct from known issues covered by the Common Vulnerabilities and Exposures (CVE) system. The CVE is a public service program to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Open Cryptography and CVE are complementary and work well in concert, with the former focusing on cryptographic implementation patterns and weaknesses, while the latter listing known vulnerabilities in software components. In particular, Open Cryptography systematically covers the following kinds of risks that are typically beyond the scope of CVE.
Open Cryptography is a foundational tool that helps researchers, security professionals, and software consumers identify cryptographic weaknesses in public artifacts.
While Open Cryptography provides this powerful visibility into public software, the underlying platform, AQtive Guard, is designed to provide that same deep discovery, visibility, and control across your entire enterprise. Its intelligent enrichment engine provides actionable, prioritized intelligence tailored to your organization's specific environment.
To see how AQtive Guard can help you move from a simple inventory to an actionable security plan, connect with our team.
