Tech giants invest $12.5M to shield open-source projects from AI-generated security bug floods

Microsoft, OpenAI & Others Pony Up $12.5M To Strengthen Open-Source Security

"As the security landscape grows more complex, advances in AI are dramatically increasing the speed and scale of vulnerability discovery in open source software. Maintainers are now facing an unprecedented influx of security findings, many of which are generated by automated systems, without the resources or tooling needed to triage and remediate them effectively. Through this investment, Alpha-Omega and OpenSSF will work directly with maintainers and their communities to make emerging security capabilities accessible, practical, and aligned with existing project workflows. The effort will support sustainable strategies that help maintainers manage growing security demands while improving the overall resilience of the open source ecosystem."

Linux Foundation wants to shield FOSS devs from AI bug slop

Half a dozen Big Tech players have together delivered $12.5 million in grants towards a project that aims to help maintainers of open source projects to cope with AI slop bug reports. "As the security landscape grows more complex, advances in AI are dramatically increasing the speed and scale of vulnerability discovery in open source software," explains a Linux Foundation announcement about the initiative. "Maintainers are now facing an unprecedented influx of security findings, many of which are generated by automated systems, without the resources or tooling needed to triage and remediate them effectively." Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI have decided they want to help, by collectively chipping in $12.5 million to the project. Alpha-Omega, the Linux Foundation project that works to improve the security of open source supply chains, will run the new effort alongside the Open Source Security Foundation (OpenSSF). We're told the two organizations "work directly with maintainers and their communities to make emerging security capabilities accessible, practical, and aligned with existing project workflows." Further: "The effort will support sustainable strategies that help maintainers manage growing security demands while improving the overall resilience of the open source ecosystem." The Linux Foundation's announcement includes a canned quote from Greg Kroah-Hartman of the Linux kernel project, which opens "Grant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams." Fear not, gentle reader, GKH didn't dump on this idea. The quote continues: "OpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving." There's no word on exactly what this project will do, or when it will happen. The problem of AI-generated bug reports overwhelming FOSS maintainers is not new. The Python Software Foundation complained about it in late 2024. More recently, the maintainer of popular open-source data transfer tool ended the project's bug bounty program due to difficulties caused by a flood of AI-generated contributions. Even Microsoft's GitHub has pondered doing something about a torrent of low quality, AI-generated contributions to FOSS projects. ®

Our latest investment in open source security for the AI era

Billions of people rely on an Internet built on open source software -- which is software anyone can use -- but that reliance only works if the software beneath it is secure. That's why for over 20 years, Google has championed open source by supporting the developers who secure it -- fueling initiatives like Google Summer of Code and bug-hunting programs that discover and fix more vulnerabilities. Today, as a founding member of the Linux Foundation's Alpha-Omega Project, we're pledging $12.5 million collectively with Amazon, Anthropic, Microsoft/GitHub and OpenAI to further invest in the stability and security of the open source community. The funding, managed by Alpha-Omega and OpenSSF, will help maintainers stay ahead of a new generation of AI-driven threats, move security beyond vulnerability discovery to actually deploying fixes, and put advanced security tools directly into maintainers' hands, to turn a flood of AI-generated findings into fast action. In addition to its industry-wide commitments, Google is dedicated to helping the open source community to outpace evolving threats and tip the scales in favor of the defenders by providing advanced AI tools for wider use. Internally, Big Sleep and CodeMender, both AI-powered tools from Google DeepMind, have already shown incredible success in helping us protect our own systems, demonstrating that AI can autonomously find and fix deep, exploitable vulnerabilities in systems as complex as the Chrome browser. We're also extending research initiatives like Sec-Gemini to open source projects (interest form). These breakthroughs show the transformational potential of AI to secure the wider open source ecosystem. Open source is the backbone of the modern web, and we're proud to support the maintainers who secure it to move faster, stay safer and continue building the future.