Finding Vulnerabilities in Open Source Projects

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:

The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.

This is an excellent idea. This code ends up in all sorts of critical applications.

Log4j would be a prototypical vulnerability that the Alpha team might look for ­—an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.

Posted on February 2, 2022 at 9:58 AM9 Comments


Quantry February 2, 2022 10:59 AM

ht tps://

“providing stakeholders with a better understanding of the security of the open source project they depend on”

Humbling Open Source in the process, and providing
zero-days for key players.

“Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative.”

doesn’t sound just a little odd with
those names first at the gate:

Woolvz gaurding the chicken coup. I feel safer now.

Ted February 2, 2022 1:00 PM


doesn’t sound just a little odd with those names first at the gate: TWO OPENLY COMMITTED to HIDING THEIR SOURCE???

Correct me if I’m wrong, but doesn’t open-source software get used in these companies’ enterprise apps and cloud services? Take Log4j for example.

Wannab techguy February 2, 2022 8:14 PM

@ Quantry
“Woolvz gaurding the chicken coup. I feel safer now.” I know I sure do!

Ted February 2, 2022 9:50 PM

I hope you all feel safer 🙂

Both the Open Source Security Foundation (OpenSSF) and the Linux Foundation are playing prominent roles in improving software supply chain security.

The White House held a software security summit in January 2022 that invited stakeholders to discuss open-source software security. Part of President Biden’s 2021 Executive Order on Cybersecurity will require that the federal government only purchase software that meets certain secure development lifecycle practices.

There may have been additional companies that donated. I am curious where people think the money for these updates should come from or a “safer” way for these issues to be addressed?

SpaceLifeForm February 4, 2022 4:58 AM

The CSRB will review and assess significant cybersecurity events so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure. The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library.

CSRB Members:

  • Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
  • Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
  • Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
  • John Carlin, Principal Associate Deputy Attorney General, Department of Justice
  • Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
  • Chris Inglis, National Cyber Director, Office of the National Cyber Director
  • Rob Joyce, Director of Cybersecurity, National Security Agency
  • Katie Moussouris, Founder and CEO, Luta Security
  • David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
  • Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
  • Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
  • John Sherman, Chief Information Officer, Department of Defense
  • Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
  • Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
  • Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

Gilbert Fernandes February 5, 2022 9:45 PM

What I found quite disturbing is after the log4j vulnerabilities is the US government asked some major players to come talk about security and they totally left on the side the open source developers : they invited no one from the GNU Project. Most servers on this planet run Linux, most of Internet. And who do they invite to talk about security after log4j ? Google, Apple, Microsoft and the like. WTF seriouly. Did anyone offered funds or help to the few people working on log4j and spending hours on their personal time to fix the vulnerabilities ? Did anyone at those big companies using log4j helped them or offered anything as support for their work they keep using all around in their infrastructure ?

Grima Squeakersen February 7, 2022 2:53 PM

@Wannab techguy re: woolvz – B-b-but the lupines have promised that anyone they assign will go vegan for the duration of the project. That is a sufficient safeguard, no?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.