The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:
The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.
This is an excellent idea. This code ends up in all sorts of critical applications.
Log4j would be a prototypical vulnerability that the Alpha team might look for – an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.
More Stories
CISA Launches Playbook to Boost AI Cybersecurity Collaboration
CISA launched the JCDC AI Cybersecurity Playbook to enhance collaboration on AI cybersecurity risks Read More
Multi-Cloud Adoption Surges Amid Rising Security Concerns
A new report from Fortinet reveals increased adoption of multi-cloud strategies and hybrid implementations combining on-premises and public cloud infrastructure...
Chinese PlugX Malware Deleted in Global Law Enforcement Operation
The FBI deleted Chinese PlugX malware from thousands of devices in the US, using a technique developed by French cybersecurity...
Illicit Crypto-Inflows Set to Top $51bn in a Year
Chainalysis estimates threat actors made at least $51bn through crypto crime in 2024 Read More
Phishing False Alarm
A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to...
Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls
The security provider published mitigation measures to prevent exploitation Read More