From 6897087c290891ed694910089aa385f0a8ff574a Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Tue, 23 Jun 2026 07:47:29 -0400 Subject: [PATCH 1/3] Create 2026 Q2 report for Alpha-Omega Added a detailed report for Q2 2026 on Alpha-Omega's initiatives, objectives, and sustainability efforts in open source security. Signed-off-by: Michael Scovetta --- TI-reports/2026/2026-Q2-Alpha-Omega.md | 58 ++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 TI-reports/2026/2026-Q2-Alpha-Omega.md diff --git a/TI-reports/2026/2026-Q2-Alpha-Omega.md b/TI-reports/2026/2026-Q2-Alpha-Omega.md new file mode 100644 index 00000000..48c35fb1 --- /dev/null +++ b/TI-reports/2026/2026-Q2-Alpha-Omega.md @@ -0,0 +1,58 @@ +# 2026 Q1 Alpha-Omega + +## Overview + +Alpha-Omega is running strong, with an increased emphasis on defending against AI-related threats to open source projects and +ecosystems. We recently received $2.5 million in renewed membership from Microsoft and brought on additional contractors (Kevin King, Francis Perrson) to increase our speed of execution. + +## Objectives + +We've made progress in key areas + +We've funded thirteen 6-month contract roles for AI security engineers in residence at each of the major foundations (PHP, Node.js, Drupal, Rust, FreeBSD, Perl, Erlang, OSTIF, Eclipse, Python, Linux Kernel, +[Alpha-Omega Cyber Security OKRs for AI](https://docs.google.com/document/d/1noBehy3nKAyvsy6lAYHtAHgO5uLpzxZ11HgswF-xH3M/edit?tab=t.0) (draft) + +### Glasswing + +* [Frontier AI and the next phase of software vulnerability defence](https://blogs.eclipse.org/post/mike-milinkovich/frontier-ai-and-next-phase-software-vulnerability-defence) + +### Package Manager Sustainability + +Alpha-Omega continues to partner with open source registries to help them investigate and ultimately build sustainable business models +We have two updates: + +* Alpha-Omega signed the recently signed the [Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries](https://openssf.org/blog/2026/05/06/open-infrastructure-is-not-free-part-ii-the-hidden-cost-of-running-package-registries/) joint letter on sustainability. +* The Eclipse Foundation recently announced availability of the [Managed Open VSX Registry](https://managed.open-vsx.org/) service. +* Paul Brown has started working more directly with a few package registries to help them accelerate progress in this area. + +* + +* **Objective 1**: Critical maintainers, projects, and ecosystems leverage AI capabilities to rapidly identify and fix exploitable flaws that would have a major impact on downstream consumers. +* **Objective 2**: Enable at least 10,000 OSS projects to apply *advanced* AI security capabilities before those capabilities become publicly available to threat actors. +* **Objective 3**: At least 100,000 OSS maintainers are aware of and able to adopt AI security solutions to proactively identify and fix exploitable security vulnerabilities in their projects. + +### Media Roundup + +We continue to publish blogs multiple times as week (usually written by our grant recipients), available at [alpha-omega.dev/resources/blog/](https://alpha-omega.dev/resources/blog/) and started publishing case studies, available at [alpha-omega.dev/case-studies/](https://alpha-omega.dev/case-studies/). + +We've also appeared in multiple articles around Glasswing due to our work in applying advanced AI models to detect vulnerabilities in critical open source projects. + + +#### Package Registry Sustainability + +* [Open Source Security at scale with Michael Winser](https://opensourcesecurity.io/2026/2026-03-michael-winser/) +* [FOSDEM 2026 - Michael Winser - The terrible economics of package registries and how to fix them](https://docs.google.com/presentation/d/1P9zVRc9Tix_x4WyoPElORiTILl4YPGC41c-12MKbHWw/edit?slide=id.p#slide=id.p) +* [Open source registries face financial crisis, threatening software supply chain security | brief | SC Media](https://www.scworld.com/brief/open-source-registries-face-financial-crisis-threatening-software-supply-chain-security) +* [Open source package repositories face sustainability crisis • The Register](https://www.theregister.com/2026/02/28/open_source_opinion/) + +### Up Next + +Alpha-Omega continues to have regular meetings, both public and with key partners: + +* **Public Meeting**: Our next public meeting is next week (July 1st). All are welcome to attend. +* **Sustaining Package Registries Working Group**: Meets weekly +* **Open Source Corps of Security Engineers**: Meets bi-weekly + +### Questions/Issues for the TAC + +None at this time. From d917df4d463440f07f654519795f257dd3d01956 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Tue, 23 Jun 2026 09:57:22 -0400 Subject: [PATCH 2/3] Revise 2026 Q1 report to 2026 Q2 Alpha-Omega Updated report to reflect Q2 activities and objectives, including new contractors and initiatives for AI security in open source projects. Signed-off-by: Michael Scovetta --- TI-reports/2026/2026-Q2-Alpha-Omega.md | 33 +++++++------------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/TI-reports/2026/2026-Q2-Alpha-Omega.md b/TI-reports/2026/2026-Q2-Alpha-Omega.md index 48c35fb1..2936046a 100644 --- a/TI-reports/2026/2026-Q2-Alpha-Omega.md +++ b/TI-reports/2026/2026-Q2-Alpha-Omega.md @@ -1,18 +1,15 @@ -# 2026 Q1 Alpha-Omega +# 2026 Q2 Alpha-Omega ## Overview -Alpha-Omega is running strong, with an increased emphasis on defending against AI-related threats to open source projects and -ecosystems. We recently received $2.5 million in renewed membership from Microsoft and brought on additional contractors (Kevin King, Francis Perrson) to increase our speed of execution. +Alpha-Omega is running strong, with an increased emphasis on helping open source projects and ecosystems defend themselves against +AI-related threats. We recently received $2.5 million in renewed membership from Microsoft and brought on additional help (Kevin King, Francis Perron, Andrew Nesbitt, Mirko Swilus) to increase speed of execution. -## Objectives +### Securing Open Source Against AI Threats -We've made progress in key areas +We've funded thirteen 6-month contract roles for AI security engineers in residence at major foundations/ecosystems, some of which have blogs listed [here](https://alpha-omega.dev/resources/blog/). In addition, we [committed](https://alpha-omega.dev/blog/the-apache-software-foundation-launches-10m-responsible-ai-initiative-with-initial-1-75m-donation/) $250k to Apache's Responsible AI initiative. These roles are working closely with the existing Security Engineers in Residence that we've funded to drive security initiatives within each organization. -We've funded thirteen 6-month contract roles for AI security engineers in residence at each of the major foundations (PHP, Node.js, Drupal, Rust, FreeBSD, Perl, Erlang, OSTIF, Eclipse, Python, Linux Kernel, -[Alpha-Omega Cyber Security OKRs for AI](https://docs.google.com/document/d/1noBehy3nKAyvsy6lAYHtAHgO5uLpzxZ11HgswF-xH3M/edit?tab=t.0) (draft) - -### Glasswing +As part of Glasswing, we worked closely with Anthropic and key open source projects to make advanced AI scanning available to highly trusted individuals within those ecosystems. With the first phase completed in May, Mirko is working with stakeholders on how to safely expand access and align access through the Linux Foundation. * [Frontier AI and the next phase of software vulnerability defence](https://blogs.eclipse.org/post/mike-milinkovich/frontier-ai-and-next-phase-software-vulnerability-defence) @@ -25,33 +22,19 @@ We have two updates: * The Eclipse Foundation recently announced availability of the [Managed Open VSX Registry](https://managed.open-vsx.org/) service. * Paul Brown has started working more directly with a few package registries to help them accelerate progress in this area. -* - -* **Objective 1**: Critical maintainers, projects, and ecosystems leverage AI capabilities to rapidly identify and fix exploitable flaws that would have a major impact on downstream consumers. -* **Objective 2**: Enable at least 10,000 OSS projects to apply *advanced* AI security capabilities before those capabilities become publicly available to threat actors. -* **Objective 3**: At least 100,000 OSS maintainers are aware of and able to adopt AI security solutions to proactively identify and fix exploitable security vulnerabilities in their projects. - ### Media Roundup We continue to publish blogs multiple times as week (usually written by our grant recipients), available at [alpha-omega.dev/resources/blog/](https://alpha-omega.dev/resources/blog/) and started publishing case studies, available at [alpha-omega.dev/case-studies/](https://alpha-omega.dev/case-studies/). We've also appeared in multiple articles around Glasswing due to our work in applying advanced AI models to detect vulnerabilities in critical open source projects. - -#### Package Registry Sustainability - -* [Open Source Security at scale with Michael Winser](https://opensourcesecurity.io/2026/2026-03-michael-winser/) -* [FOSDEM 2026 - Michael Winser - The terrible economics of package registries and how to fix them](https://docs.google.com/presentation/d/1P9zVRc9Tix_x4WyoPElORiTILl4YPGC41c-12MKbHWw/edit?slide=id.p#slide=id.p) -* [Open source registries face financial crisis, threatening software supply chain security | brief | SC Media](https://www.scworld.com/brief/open-source-registries-face-financial-crisis-threatening-software-supply-chain-security) -* [Open source package repositories face sustainability crisis • The Register](https://www.theregister.com/2026/02/28/open_source_opinion/) - ### Up Next Alpha-Omega continues to have regular meetings, both public and with key partners: * **Public Meeting**: Our next public meeting is next week (July 1st). All are welcome to attend. -* **Sustaining Package Registries Working Group**: Meets weekly -* **Open Source Corps of Security Engineers**: Meets bi-weekly +* **Sustaining Package Registries Working Group**: Meets weekly. +* **Open Source Corps of Security Engineers**: Meets bi-weekly. ### Questions/Issues for the TAC From dae03278e058519bb169f56dfaecaa70a7910edd Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Tue, 23 Jun 2026 10:03:07 -0400 Subject: [PATCH 3/3] Revise funding information and project updates Updated funding details and added information about ongoing initiatives and media presence. Signed-off-by: Michael Scovetta --- TI-reports/2026/2026-Q2-Alpha-Omega.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/TI-reports/2026/2026-Q2-Alpha-Omega.md b/TI-reports/2026/2026-Q2-Alpha-Omega.md index 2936046a..d417727f 100644 --- a/TI-reports/2026/2026-Q2-Alpha-Omega.md +++ b/TI-reports/2026/2026-Q2-Alpha-Omega.md @@ -3,7 +3,7 @@ ## Overview Alpha-Omega is running strong, with an increased emphasis on helping open source projects and ecosystems defend themselves against -AI-related threats. We recently received $2.5 million in renewed membership from Microsoft and brought on additional help (Kevin King, Francis Perron, Andrew Nesbitt, Mirko Swilus) to increase speed of execution. +AI-related threats. In addition to $12.5 million in AI-related funding announced in March and renewed funding from Google and AWS earlier in 2026, we recently received $2.5 million in renewed membership from Microsoft. We brought on additional help (Kevin King, Francis Perron, Andrew Nesbitt, Mirko Swilus) to increase speed of execution. ### Securing Open Source Against AI Threats @@ -26,6 +26,8 @@ We have two updates: We continue to publish blogs multiple times as week (usually written by our grant recipients), available at [alpha-omega.dev/resources/blog/](https://alpha-omega.dev/resources/blog/) and started publishing case studies, available at [alpha-omega.dev/case-studies/](https://alpha-omega.dev/case-studies/). +Andrew Nesbitt continues to [blog regularly](https://nesbitt.io/posts/) on topics we care deeply about. + We've also appeared in multiple articles around Glasswing due to our work in applying advanced AI models to detect vulnerabilities in critical open source projects. ### Up Next @@ -36,6 +38,8 @@ Alpha-Omega continues to have regular meetings, both public and with key partner * **Sustaining Package Registries Working Group**: Meets weekly. * **Open Source Corps of Security Engineers**: Meets bi-weekly. +We continue to speak (and support our grant recipients speaking) at major conferences around the world. + ### Questions/Issues for the TAC None at this time.