Major Linux distributions have a problem with WebKit security. Whereas major desktop browsers push automatic security updates directly to users on a regular basis so that users don’t have to worry about updates, Linux users are dependent on their distributions to release updates. Well over 100 vulnerabilities that could allow remote code execution were fixed in WebKit last year, so getting updates out to users is critical. This talk examines the disconnect between how the WebKit project handles security issues upstream and how different major distributions do (or do not) handle security issues, shows that WebKit security issues have widespread impact even for users who do not use a WebKit-based web browser, and discusses the security consequences of the split between the original WebKit API and WebKit2.