HeroDevs Joins .NET Security Group: Securing the Future of the .NET Ecosystem

A New Era of .NET Security

HeroDevs is thrilled to announce a significant milestone in our mission to protect critical open source infrastructure: HeroDevs has officially joined the .NET Security Group.

This collaboration, originally established by Microsoft, is a coalition of organizations dedicated to the swift and simultaneous delivery of vital security patches to the broadest possible community of .NET users. HeroDevs joins Microsoft, Red Hat, and Canonical in the .NET Security Group. By joining this group, HeroDevs is positioned to enhance the security posture of the entire .NET ecosystem, particularly for businesses running legacy .NET applications.

The .NET Security Group is designed to ensure that organizations distributing .NET, including those who provide long-term support such as HeroDevs, receive information about Common Vulnerabilities and Exposures (CVEs) before public disclosure. This access, granted approximately a week in advance, allows HeroDevs to build, validate, and publish security fixes concurrently with Microsoft’s own Patch Tuesday releases, dramatically reducing the window of vulnerability for our customers.

‍

A History of the .NET Security Group

The .NET Security Group was initially created by Microsoft, who maintains the .NET open source project. The group began privately in 2016, starting with a partnership with Red Hat and later grew to include Canonical, the publisher of Ubuntu, and IBM. Microsoft's primary motivation was twofold: to uphold security as a core value for .NET and to ensure rapid, predictable delivery of security fixes across all .NET distributions, not just Microsoft’s. This collaborative effort was established to formalize the sharing of source patches for CVEs with trusted partners, allowing them to build, validate, and publish binary security packages concurrently with Microsoft's monthly Patch Tuesday releases. The decision to expand and publicize the group was also driven by requests from organizations, such as HeroDevs, seeking access to patches for their End-of-Life (EOL) servicing businesses.

‍

Defending Legacy .NET: Why This Matters

At HeroDevs, our philosophy is simple: Open source should be secure, stable, and sustainable for everyone, not just those on the latest version.

As "Defenders of Legacy Open Source," our core mission is to protect the critical software infrastructure that businesses rely on, long after its official EOL. We understand that forced, unplanned migrations due to security concerns are costly, disruptive, and often infeasible for mission-critical systems.

By bringing HeroDevs' commitment and expertise into the .NET Security Group, we are formalizing our role as a proactive security partner for the .NET community. Our background is built on a deep commitment to giving back to the open-source world, including sponsoring long-term maintainers, patching CVEs for abandoned projects, and leading initiatives like the $20 million dollar Open Source Sustainability Fund. Now, we are extending this commitment directly to the heart of .NET security.

‍

Never-Ending Support (NES) for .NET: Security on Your Timeline

This new partnership directly strengthens our flagship .NET offering: Never-Ending Support (NES) for .NET.

NES for .NET is a secure, drop-in replacement for EOL .NET versions, specifically designed to eliminate the risks associated with unsupported software. It always makes a lot of sense to stay up to date with the most recent, supported version of .NET so you can take advantage of the latest and greatest features, standards, and, security available. Several tools like the .NET Upgrade Assistant GitHub Copilot extension have made it easier to update your .NET version more recently. That said, depending upon the complexity of the application and its external dependencies, updating the .NET version can still take time, possibly past the EOL date for the .NET version in use. As a result legacy .NET versions (like .NET 6) are still powering mission-critical systems across finance, healthcare, and government, but without continuous security updates, they face severe exposure to exploits, compliance failures, and legal risks.

The HeroDevs team behind NES for .NET is led by a group of industry experts, including Microsoft MVP Hayden Barnes. The engineering effort is managed by Allison Vorthmann, an engineering manager with 5 years of experience in the .NET ecosystem, and supported by William Jones, lead .NET engineer and .NET migration expert. Their combined knowledge ensures NES for .NET delivers the highest standard of security and stability.

With NES for .NET, our customers can:

• Mitigate Risk Immediately: Receive ongoing security patches and vulnerability remediation for EOL versions, backed by our involvement in the .NET Security Group.
• Ensure Compliance: Maintain critical compliance standards (e.g., HIPAA, SOC-2, PCI DSS) by receiving the necessary security and compliance updates, even for older versions.
• Regain Control: Avoid the pressure of an immediate, and possibly costly migration. NES for .NET extends the lifecycle of your systems, allowing your team to plan upgrades at a pace that aligns with your business needs.

Joining the .NET Security Group ensures that the security patches delivered via NES for .NET are timely, comprehensive, and perfectly synchronized with the broader ecosystem, making NES for .NET the most reliable solution for enterprises seeking to secure their legacy applications.

‍

Secure Your Systems. Control Your Timeline.

HeroDevs is proud to work alongside Microsoft and other partners to contribute to a safer, more sustainable .NET ecosystem. For businesses on end-of-life .NET versions, this is your assurance that you no longer have to choose between stability and security.

Ready to protect your applications and free your engineering teams from reactive patching?

Learn more about HeroDevs NES for .NET and schedule a consultation today.

‍