Hi Kate, Shuah, all,
Yesterday I listened in on an LF Webinar (here is the recording https://www.youtube.com/watch?v=RBVzDGi66aw) which was pretty much a kickoff for the Alpha-Omega Project of LF OpenSSF.
Brian Behlendorf is the GM of Open SSF, and he has 2 team members from Microsof and Google.
Their vision (quoted from the slide deck): "Through Alpha, we will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture …
Includes things like a source code audit, helping the maintainers set up scanning, … proposing fixes, ensuring the project can be reliably re-built, etc.
"Through Omega, we will identify at least 10000 widely deployed OSS projects where we can apply automated security analysis, scoring and remediation guidance to support their open source maintainer communities …
Using a combination of existing tools (mostly open source), analyze 10000 open source projects for critical security vulnerabilities. Refine the ruleset, build a system for automating the triage as much as possible, and then use security experts to validate what we find.
Reach out to the maintainers, report the issue, offer help fixing, closing the loop:
"Security vulnerabilities" are most commonly code quality issues which we flag for safety as well. So that we have what to learn from this effort.
It is a good model to understand, and perhaps for safety experts to better understand how open source works.
And if ELISA members (or others) are ready to make the jump and change in mindset, perhaps even to join forces.