In a move that has sent shockwaves through the developer community, the UK's National Health Service (NHS) is reportedly preparing to shutter the vast majority of its public open-source repositories. The trigger? A growing fear that increasingly sophisticated large language models (LLMs)—such as Anthropic's Mythos—could automate the discovery of security vulnerabilities in published code. But is this a proportionate response, or a dangerous overreaction that contradicts the government's own tech guidance? Below, we break down the seven essential things you need to know about this controversial decision.
1. The Core Decision: What Is Actually Happening?
The NHS plans to close almost all of its publicly available open-source repositories. The rationale, according to reports by Terence Eden, is that LLM-driven security scanning tools have become so powerful that any shared code could be exploited by malicious actors. The move is intended to reduce the attack surface, but critics argue it is a blunt instrument that punishes transparency for the sake of theoretical risk. Internal NHS guidance now strongly recommends taking repositories private or deleting them entirely, affecting thousands of projects that have been freely available for years.
2. Most NHS Repositories Are Low-Risk—You Can't Exploit a Dataset
One of the most damning points raised against the decision is that the majority of NHS code repositories are simply not affected by advances in vulnerability scanning. They contain datasets, internal tooling documentation, research methodologies, front-end design patterns, and guidance notes. As Eden notes, There is nothing in them which could realistically lead to a security incident.
Shutting down these repos offers no security benefit, but it does deprive the wider community of valuable resources—especially for researchers, students, and small developers who depend on open-source health software.
3. The NHS Has a Strong Open-Source Track Record—Including During COVID
The irony is that the NHS, particularly through its former digital unit NHSX, was once a champion of open-source transparency. During the pandemic, the team made a deliberate, confident decision to release the COVID-19 Contact Tracing app as open source from day one. This was a nationally mandated app, installed on millions of phones, under intense scrutiny from hostile states—yet the published code, architecture, and documentation caused zero security incidents. That experience directly contradicts the current fear-driven approach.
4. The Policy Contradicts the UK's Own Tech Code of Practice
The new guidance is in direct opposition to the UK Government's own Technology Code of Practice—specifically Point 3, which states: Be open and use open source.
The code insists that government organisations should publish code under an open-source licence and contribute back to the community. By closing repositories, the NHS is effectively ignoring its own endorsed standards, creating a worrying precedent for other public bodies. This contradiction undermines trust and raises questions about how seriously the government takes its own digital policies.
5. The Real Vulnerabilities Aren't Where You Think
While LLMs like Mythos can find certain classes of security bugs (e.g., SQL injection, hard-coded credentials), they are far from infallible. Security experts argue that closing non-sensitive repositories does nothing to stop attackers from scanning closed-source services through other means. Moreover, many of the most serious NHS security incidents have stemmed from misconfigured databases or phishing attacks—not from open-source code review. The move may actually reduce the number of eyes on the code, making hidden flaws more likely to persist undetected.
6. The Impact on the Developer Community and Innovation
Closing these repositories will have a chilling effect on health-tech innovation. Open-source projects allow external developers to audit, improve, and build upon the NHS's work. Independent researchers, startups, and academic institutions rely on these resources to create life-saving applications and research. Without access, they will be forced to reinvent the wheel or, worse, work with outdated, unverified code. The NHS risks isolating itself from the very community that could help improve its digital infrastructure.
7. There Are Better Alternatives—Proportional, Not Panicked, Security
Instead of a blanket takedown, security experts recommend a more nuanced approach: use automated scanning tools on repositories, but also maintain a responsible disclosure process for vulnerabilities found by LLMs or humans. The NHS could require two-factor authentication for repo access, implement strict review gates for sensitive modules, or use temporary private forks for critical components before public release. These measures would balance transparency with security—without throwing away years of open-source contribution. Panic-driven policy rarely serves the public good; thoughtful, layered security does.
Conclusion: The NHS's decision to go to war against open source is a hasty overreaction to the rise of LLM vulnerability scanning. It misunderstands the nature of the threat, contradicts government policy, and ignores the organisation's own successful track record with open-source transparency. While security is paramount, the answer is not to hide code—it's to protect it smarter. The developer community and patients alike deserve better than a retreat into obscurity. Let's hope the NHS reconsiders before the repositories go dark.