The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:
The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.
This is an excellent idea. This code ends up in all sorts of critical applications.
Log4j would be a prototypical vulnerability that the Alpha team might look for – an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.
More Stories
Friday Squid Blogging: Squid Facts on Your Phone
Text “SQUID” to 1-833-SCI-TEXT for daily squid facts. The website has merch. As usual, you can also use this squid...
Law Enforcement Crackdowns Drive Novel Ransomware Affiliate Schemes
Increased law enforcement pressure has forced ransomware groups like DragonForce and Anubis to move away from traditional affiliate models Read...
SAP Fixes Critical Vulnerability After Evidence of Exploitation
A maximum severity flaw affecting SAP NetWeaver has been exploited by threat actors Read More
M&S Shuts Down Online Orders Amid Ongoing Cyber Incident
British retailer M&S continues to tackle a cyber incident with online orders now paused for customers Read More
Security Experts Flag Chrome Extension Using AI Engine to Act Without User Input
Researchers have found a Chrome extension that can act on the user’s behalf by using a popular AI agent orchestration...
Cryptocurrency Thefts Get Physical
Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping....