LLM03:2025Supply Chain
Slide 19 of 29
Part 4 · PreventionSlide 19
PART 4
Prevention
Slides 19–27 · OWASP's mitigations, one per slide
Slide 19 · Mitigation 1 of 9 — Vet Sources & Suppliers
Know who you're trusting — before you trust them.
📄 OWASP LLM Top 10:2025 · LLM03 Prevention #1
OWASP — Vet Sources & Suppliers
Carefully vet data sources, model suppliers, and their terms
What OWASP Says

“Carefully vet the sources of data and suppliers, including their terms & conditions and privacy policies… ensure no changes in their security posture or T&Cs.”

The Gap This Closes

The fake “OpenAI” repo (Slide 14) and PoisonGPT (Slide 15) both won by impersonating a trusted source. The T&Cs scenario (Slide 18) is a supplier quietly changing the deal. None survive actual vetting of who the supplier is and what their terms allow.

How to Do This Right

→ Maintain an approved-supplier list; pin to specific verified publishers, not names
→ Confirm the real identity behind a model/dataset, not just the display name
→ Re-review terms and privacy policies on a schedule — treat a T&Cs change as a security event

How to Validate

Pick any model in your stack and ask: who published it, how do we know, and what do their current terms permit? If you can't answer all three, it isn't vetted.

← BackNext → Know what's in your stack
📄 View sources for this lesson