The NHS looked at security vulnerabilities reported to them and decided the solution was to close everything down. Last month, they made their GitHub repositories private across the board, shutting down public access to code that had been open source.

That wasn’t just unusual. It violated the UK government’s own digital standards, which default to open source for public sector software. And now the Government Digital Service, which sets those standards, has publicly told them they got it wrong.

The whole situation started with Project Glasswing, a security initiative that reported vulnerabilities to NHS repositories. The NHS response was to make everything private. Not to fix the specific issues, not to improve their security processes, but to pull down the blinds entirely.

GDS published their response on May 14th in a post called “AI, open code and vulnerability risk in the public sector.” The key line: “Keep open by default.”

Why this matters for government code

When government agencies write software with public money, there’s a strong argument that the code should be public too. It enables scrutiny, prevents vendor lock-in, and lets other agencies reuse solutions instead of building the same thing twice.

The UK has had an “open source by default” policy for public sector code since the early 2010s. GDS was instrumental in establishing that standard. When they say the NHS should keep code open, they’re not making a technical suggestion. They’re pointing out a policy violation.

Simon Willison has been tracking this story as it develops. He notes that GDS’s response goes beyond just criticizing the NHS. They’re using this as a teaching moment about how to handle security in open source projects.

The security argument doesn’t hold up

The NHS apparently decided that keeping code private would improve security. That’s backwards. Open source doesn’t make software less secure. What makes software less secure is not fixing vulnerabilities, not responding to reports properly, and not having processes in place to handle disclosure.

If your repos have serious security issues, making them private doesn’t fix those issues. It just means fewer people can see them and report them. You’re trading transparency for the illusion of security.

GDS makes this point explicitly in their guidance. They recommend keeping code open even when it contains vulnerabilities, because the benefits of transparency outweigh the risks of obscurity. The correct response to security reports is to fix the problems, not hide the code.

What the NHS should have done

There’s a playbook for this. When someone reports vulnerabilities in your open source project, you acknowledge the report, assess the severity, develop fixes, and publish them. If the issues are critical, you might coordinate disclosure timing. But you don’t just shut everything down.

Other government agencies handle this routinely. The U.S. Digital Service and 18F keep their code open. So does GDS itself. They all get security reports. They all deal with them transparently.

The NHS has good engineers who know how to do this. But somewhere in the organization, someone made a decision that protecting reputation was more important than following through on the principles behind open source. That’s the decision GDS is pushing back against.

The broader pattern

This isn’t really about one agency making their repos private. It’s about whether governments will stick with open source when it gets uncomfortable.

Open source for public sector code isn’t just a technical choice. It’s an accountability mechanism. If the NHS builds a patient records system with taxpayer money, other agencies should be able to see how it works, learn from it, and reuse components. Closing that off makes government software more expensive and less trustworthy.

The NHS decision sets a bad precedent. If security reports are met with lockdowns instead of fixes, other agencies will notice. Some will follow suit. And the default-to-open standard that took years to establish will erode piece by piece.

GDS getting involved publicly is significant. They don’t usually call out specific agencies by name. But they’re treating this as important enough to make an example of. That suggests they see the same risk: if the NHS gets away with abandoning open source when it’s inconvenient, others will try the same thing.

The NHS should reopen their repositories. If there are specific security issues that need to be addressed first, fine, address them. But the default should be open, because that’s both policy and good practice. GDS is right to push back, and they shouldn’t be the only ones saying it.