Skip to main content
Alpha-Omega Project Logo White

Partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.

“Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Join the Mailing List

Sign up to stay up-to-date.

Webinar: Intro to The Alpha-Omega Project

Watch the Webinar on YouTube or view the presentation.

Express Your Interest

Let us know how you’d like to get involved in the Alpha-Omega Project. I’m Interested.

Recent News

OpenJS jQuery OpenSSF Alpha Omega

OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web

Oct 24, 2022

Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.

Alpha-Omega Project

Alpha-Omega Project Announces Over $1.5M in Grants to Critical Open Source Projects and New Omega Analysis Toolchain

Sep 13, 2022

As part of the OpenSSF’s continued investment in critical open-source projects, we are happy to announce new partnerships and tooling from the Alpha-Omega Project. Alpha-Omega will sponsor critical security work with a $460K grant to the Rust Foundation. This work expands on funding previously announced earlier this year, bringing our…

OpenSSF Funds Python and Eclipse Foundations and Acquires SOS.dev through Alpha-Omega Project

Jun 20, 2022

As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among the Python Software Foundation (PSF) and the Eclipse Foundation to fund critical security roles. We are also happy to announce…

OpenSSF Selects Node.js as Initial Project to Improve Supply Chain Security

Apr 18, 2022

Authors: Brian Behlendorf, OpenSSF, and Robin Bender Ginn, OpenJS Foundation Today, we’re excited to announce that Node.js is the first open source community to be supported by OpenSSF's Alpha-Omega Project. Alpha-Omega is committing $300k to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022, with…

We’re Hiring!

Join the team and help us deepen Alpha-Omega's impact on the open source supply chain.

Security Researcher/Analyst

Software/Security Engineer

More About Alpha and Omega

Alpha: Focusing on the Most Critical OSS Projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.

Omega: Focusing on the Long Tail of OSS Projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Frequently Asked Questions

What is the engagement model for the public? How can individuals get involved?

For now, the best way for the public to engage is through the OpenSSF working groups. In particular the Securing Critical Projects, Best Practices for OSS Developers, and Vulnerability Disclosures groups. We will also be hosting a monthly public meeting on the first Wednesday of each month.

How can organizations get involved?

Please direct colleagues from your organizations to the working groups. If you’re interested in helping fund Alpha-Omega please contact us directly at http://members.openssf.org/.

Will the Omega group of security researchers be community-driven, where contributors come and go, or selected, consistent individuals?

Initially, these will be staff positions, hired by the Linux Foundation and working in a dedicated manner on Omega. We’re exploring ways for the community to be engaged and contribute meaningfully.

How will critical projects be identified?

An OpenSSF working group has created an initial critical projects list to begin prioritizing the work. The initial focus will be on areas where we can learn and have impact quickly.

How will you interact with the OSS projects for which you find vulnerabilities?

We will continue to lean on the OpenSSF working groups and our own internal teams for guidance. It is unlikely that we will diverge from normal best practices. Working directly with the maintainers is key and we won’t start finding vulnerabilities without an initial relationship in place.

Is Alpha-Omega a security project to prevent hacking attacks, or is another layer of security going to be added using Alpha-Omega?

Alpha-Omega is neither the beginning nor the end of good security practices. The goal is to reduce the volume of serious exploitable vulnerabilities from the ecosystem, making it harder for attackers to carry out an attack. This complements many other efforts, so in that way, yes, Alpha-Omega is like an additional layer of protection that will be directed to have the most impact.