nhs / mythos / sdlc-8

An open letter published 1 May 2026 urges NHS England to reverse a decision to hide its software repositories and to uphold the NHS Service Standard Principle 12 that publicly funded code be open. Signed by developers, maintainers, clinicians and privacy advocates including Cory Doctorow, the letter argues closed-source practices reduce code quality and security by replacing rigorous processes with obscurity. It warns the NHS’ SDLC-8 “red line” undermines proactive vulnerability management and calls for reaffirmation of open-source commitments, citing recent removals of NHS open-source policy pages and debates about AI-related security concerns. The petition invites additional signatures and links guidance on secure open development.

A group of software engineers, NHS contributors and open-source advocates published an open letter urging NHS England to reverse a decision to hide its source code and to reaffirm its commitment to the NHS Service Standard Principle 12: “Make new source code open.” Signatories say keeping publicly funded code closed lowers quality, reduces proactive vulnerability management, and trades security through obscurity for real hardening that public scrutiny enables. The letter calls out an SDLC-8 “red line” restricting repository visibility and links to reporting that NHS removed open-source policy pages amid AI-related security concerns. The petition invites signatures from current and former UK public-sector software contributors to pressure NHS England to restore open-source practices.

NHS England is preparing to remove or restrict most of its public open-source code repositories, citing security concerns after the emergence of advanced AI-powered scanning tools like Mythos. Former government open-source advocates and guidance documents from GDS, NHSX, DHSC and the NHS service standard argue this move contradicts long-standing UK policy to publish code by default for transparency, reuse and scrutiny. Critics say the decision is an overreaction not supported by NCSC or AI Safety Institute advice, will be costly to implement, conflicts with published commitments made during the pandemic (e.g., the open-sourced contact-tracing app), and risks undermining developer collaboration and innovation across health services. The leak has provoked internal alarm and debate about trade-offs between security and openness.

NHS England is preparing to remove most of its open-source repositories, citing security concerns after advances in AI-powered scanners such as Mythos. Former government open-source advocates and leaked internal guidance (SDLC-8) indicate a shift away from the long-standing UK public-sector default of making code open, contradicting the Tech Code of Practice, NHS service standards, and DHSC commitments that promote open code by default. Critics argue this is an overreaction — the NCSC and AI Safety Institute do not recommend blanket closures — and note practical and policy issues: millions of lines are already public, the assessment burden will be huge, and past NHS open-sourcing (eg, the COVID tracing app) did not cause incidents. The move risks undermining reuse, transparency, and developer collaboration across health tech.

NHS England is reportedly moving to shut down most of its open source repositories, citing security concerns after advances in automated vulnerability scanners like Mythos. The decision, reflected in recent guidance SDLC-8, would reverse longstanding UK government and NHS commitments to open source, including guidance from the Tech Code of Practice, the Service Standard, DHSC’s “Data saves lives” pledge, and NHS Digital’s Software Engineering Quality Framework. Critics — including former UK government open source advocates — argue the closure is an overreaction, unnecessary for the majority of repos (datasets, front-end, research tools) and logistically burdensome given thousands of public NHS GitHub repositories already copied. The move risks undermining reuse, transparency, and prior policy alignment across government digital services.