It has been announced that, following a meeting with government and industry leaders at the White House, OpenSSF has announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.
Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed.