“Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.
Alpha-Omega Project First Year In Review, Plus New Funding Pledge
Dec 14, 2022
Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed…
OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web
Oct 24, 2022
Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.
Alpha-Omega Project Announces Over $1.5M in Grants to Critical Open Source Projects and New Omega Analysis Toolchain
Sep 13, 2022
As part of the OpenSSF’s continued investment in critical open-source projects, we are happy to announce new partnerships and tooling from the Alpha-Omega Project. Alpha-Omega will sponsor critical security work with a $460K grant to the Rust Foundation. This work expands on funding previously announced earlier this year, bringing our…
OpenSSF Funds Python and Eclipse Foundations and Acquires SOS.dev through Alpha-Omega Project
Jun 20, 2022
As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among the Python Software Foundation (PSF) and the Eclipse Foundation to fund critical security roles. We are also happy to announce…
More About Alpha and Omega
Alpha: Focusing on the Most Critical OSS Projects
Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.
For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.
Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.
Omega: Focusing on the Long Tail of OSS Projects
Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.
Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.
Frequently Asked Questions
What is the engagement model for the public? How can individuals get involved?
For now, the best way for the public to engage is through the OpenSSF working groups. In particular the Securing Critical Projects, Best Practices for OSS Developers, and Vulnerability Disclosures groups. We will also be hosting a monthly public meeting on the first Wednesday of each month.
How can organizations get involved?
Please direct colleagues from your organizations to the working groups. If you’re interested in helping fund Alpha-Omega please contact us directly at http://members.openssf.org/.
Will the Omega group of security researchers be community-driven, where contributors come and go, or selected, consistent individuals?
Initially, these will be staff positions, hired by the Linux Foundation and working in a dedicated manner on Omega. We’re exploring ways for the community to be engaged and contribute meaningfully.
How will critical projects be identified?
An OpenSSF working group has created an initial critical projects list to begin prioritizing the work. The initial focus will be on areas where we can learn and have impact quickly.
How will you interact with the OSS projects for which you find vulnerabilities?
We will continue to lean on the OpenSSF working groups and our own internal teams for guidance. It is unlikely that we will diverge from normal best practices. Working directly with the maintainers is key and we won’t start finding vulnerabilities without an initial relationship in place.
Is Alpha-Omega a security project to prevent hacking attacks, or is another layer of security going to be added using Alpha-Omega?
Alpha-Omega is neither the beginning nor the end of good security practices. The goal is to reduce the volume of serious exploitable vulnerabilities from the ecosystem, making it harder for attackers to carry out an attack. This complements many other efforts, so in that way, yes, Alpha-Omega is like an additional layer of protection that will be directed to have the most impact.