Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. During our first year, we helped fund important security work for some of the most important open source projects and have begun to see the impact of that work. We’re happy to share our first annual report, which describes what we’ve accomplished, what we’ve learned, and the impact we hope to have in 2023.
Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.
As part of the OpenSSF’s continued investment in critical open-source projects, we are happy to announce new partnerships and tooling from the Alpha-Omega Project. Alpha-Omega will sponsor critical security work with a $460K grant to the Rust Foundation. This work expands on funding previously announced earlier this year, bringing our total investment to over $1.5M this year.
As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among the Python Software Foundation (PSF) and the Eclipse Foundation to fund critical security roles. We are also happy to announce that the Secure Open Source Rewards pilot program will be managed by the Alpha-Omega Project.
Authors: Brian Behlendorf, OpenSSF, and Robin Bender Ginn, OpenJS Foundation
Today, we’re excited to announce that Node.js is the first open source community to be supported by OpenSSF’s Alpha-Omega Project. Alpha-Omega is committing $300k to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022, with a focus on supporting better open source security standards and practices.
The open source software project Node.js is everywhere, and people put a lot of trust into the products and services that are built with Node.js, from NASA to Netflix. But many community-led JavaScript projects lack the time, people, and expertise for comprehensive security measures. Few companies that depend on Node.js contribute back to the project. Our hope is this can inspire more organizations that depend upon Node.js to also participate in its security efforts.
This assistance will relieve the pressure on Node.js project maintainers who are strained by market demands for new features while striving for a stable and secure codebase. Specifically, this will bring in security engineering resources from NearForm and Trail of Bits to support the Node.js Technical Steering Committee, help triage reports, steward security releases, improve security broadly for Node.js, and encourage implementing best practices in JavaScript projects across the industry.
Node.js carries a high criticality score for its influence and importance based on parameters established by industry security experts at OpenSSF. Almost 98% of the world’s 1.9 billion websites use JavaScript, the top programming language according to research by RedMonk and GitHub. Node.js – server-side JavaScript – was downloaded over 2 billion times in 2021. It’s pervasive across the industry, used in a significant portion of modern applications.
Both of us (Robin and Brian) are excited about this collaboration and the prospect of setting an example for both the OpenSSF and OpenJS communities.
We’ve scheduled a webinar on February 16, 2022 at 10:00 AM US/Pacific time for anyone who wants to learn more about Project Alpha-Omega and registration is now open!
Hear from Brian Behlendorf (OpenSSF GM), David A. Wheeler (OpenSSF Director of Security), and Alpha-Omega project leaders Michael Scovetta (Microsoft) and Michael Winser (Google) to learn more about near term goals, milestones, and opportunities for participation in the Alpha-Omega Project.
