Skip to main content
Alpha-Omega Project Logo White

Alpha-Omega partners with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.

“Alpha” works with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” identified at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Join the Mailing List

Sign up to stay up-to-date.

Webinar: Intro to The Alpha-Omega Project

Watch the Webinar on YouTube or view the presentation.

Express Your Interest

Let us know how you’d like to get involved in the Alpha-Omega Project. I’m Interested.

Recent News

Alpha-Omega 2023 Annual Report

Feb 16, 2024 | aliu

In 2023, Alpha-Omega provided ten grants to eight organizations totaling over $2.8 million dollars, with an average grant size of just over $350,000. In partnership with OpenSSF, Alpha-Omega's mission is to catalyze sustainable security improvements within the most critical open source projects and ecosystems. As a Directed Fund with three…

OpenSSF-Alpha-Omega-OpenRefactory

Finding And Fixing Bugs in Open Source Software at Scale with a Grant from Alpha-Omega

Dec 5, 2023 | OpenSSF

OpenRefactory is working alongside Alpha-Omega's principals to report security vulnerabilities at scale in open source projects. It works with the maintainers to get the vulnerabilities fixed.

OpenSSF Alpha Omega Rust Foundation

Alpha-Omega to Continue Support of Rust Foundation Security Initiative in 2024

Nov 15, 2023 | OpenSSF

Today, Alpha-Omega is excited to announce our second year of supporting the Rust Foundation Security Initiative.  We believe that this funding will build on the good work and momentum established by the Rust Foundation in 2023. Through this partnership, we are helping relieve maintainer burdens while paving an important path…

Alpha-Omega Grant To Help Homebrew Reach SLSA Build Level 2

Nov 6, 2023 | OpenSSF

Alpha-Omega is pleased to announce a grant to the Homebrew project to enable Sigstore attestations and verification of Homebrew packages. When complete the project will allow organizations to securely verify the provenance of the toolchains on their workstations and in their build environments. This is a critical part of securing…

More About Alpha and Omega

Alpha: Focusing on the Most Critical OSS Projects

Alpha is collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha tracks a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.

Omega: Focusing on the Long Tail of OSS Projects

Omega uses automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega has a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Frequently Asked Questions

What is the engagement model for the public? How can individuals get involved?

For now, the best way for the public to engage is through the OpenSSF working groups. In particular the Securing Critical Projects, Best Practices for OSS Developers, and Vulnerability Disclosures groups. We will also be hosting a monthly public meeting on the first Wednesday of each month.

How can organizations get involved?

Please direct colleagues from your organizations to the working groups. If you’re interested in helping fund Alpha-Omega please contact us directly at http://members.openssf.org/.

Will the Omega group of security researchers be community-driven, where contributors come and go, or selected, consistent individuals?

Initially, these will be staff positions, hired by the Linux Foundation and working in a dedicated manner on Omega. We’re exploring ways for the community to be engaged and contribute meaningfully.

How will critical projects be identified?

An OpenSSF working group has created an initial critical projects list to begin prioritizing the work. The initial focus will be on areas where we can learn and have impact quickly.

How will you interact with the OSS projects for which you find vulnerabilities?

We will continue to lean on the OpenSSF working groups and our own internal teams for guidance. It is unlikely that we will diverge from normal best practices. Working directly with the maintainers is key and we won’t start finding vulnerabilities without an initial relationship in place.

Is Alpha-Omega a security project to prevent hacking attacks, or is another layer of security going to be added using Alpha-Omega?

Alpha-Omega is neither the beginning nor the end of good security practices. The goal is to reduce the volume of serious exploitable vulnerabilities from the ecosystem, making it harder for attackers to carry out an attack. This complements many other efforts, so in that way, yes, Alpha-Omega is like an additional layer of protection that will be directed to have the most impact.