Companies struggle to understand the extent to which they are affected by vulnerabilities in open source software, but security specialists and maintainers are striving to secure the ecosystem.