OpenSSF announced the Alpha-Omega Project to improve the security posture of open-source software by working together with software security experts.
Microsoft and Google are supporting the project, which aims to improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code with a $5 million investment.
The project is being split into two sides, Alpha and Omega. Alpha will work with the most critical open source projects to improve their security posture. The projects will include standalone projects and core ecosystem services that will be selected based on the work by the OpenSSF Securing Critical Projects working group.
Omega will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, the general manager of OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”
Additional details are available here.