“Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
The Alpha-Omega Project
Partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.
Join the team and help us deepen Alpha-Omega's impact on the open source supply chain.
More About Alpha and Omega
Alpha: Focusing on the Most Critical OSS Projects
Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.
For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.
Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.
Omega: Focusing on the Long Tail of OSS Projects
Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.
Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.
Frequently Asked Questions
What is the engagement model for the public? How can individuals get involved?
For now, the best way for the public to engage is through the OpenSSF working groups. In particular the Securing Critical Projects, Best Practices for OSS Developers, and Vulnerability Disclosures groups. We will also be hosting a monthly public meeting on the first Wednesday of each month.
How can organizations get involved?
Please direct colleagues from your organizations to the working groups. If you’re interested in helping fund Alpha-Omega please contact us directly at firstname.lastname@example.org.
Will the Omega group of security researchers be community-driven, where contributors come and go, or selected, consistent individuals?
Initially, these will be staff positions, hired by the Linux Foundation and working in a dedicated manner on Omega. We’re exploring ways for the community to be engaged and contribute meaningfully.
How will critical projects be identified?
An OpenSSF working group has created an initial critical projects list to begin prioritizing the work. The initial focus will be on areas where we can learn and have impact quickly.
How will you interact with the OSS projects for which you find vulnerabilities?
We will continue to lean on the OpenSSF working groups and our own internal teams for guidance. It is unlikely that we will diverge from normal best practices. Working directly with the maintainers is key and we won’t start finding vulnerabilities without an initial relationship in place.
Is Alpha-Omega a security project to prevent hacking attacks, or is another layer of security going to be added using Alpha-Omega?
Alpha-Omega is neither the beginning nor the end of good security practices. The goal is to reduce the volume of serious exploitable vulnerabilities from the ecosystem, making it harder for attackers to carry out an attack. This complements many other efforts, so in that way, yes, Alpha-Omega is like an additional layer of protection that will be directed to have the most impact.