Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly.
External link for Alpha-Omega
Thanks Laravel News for highlighting this. Alpha-Omega is glad to support The PHP Foundation in launching their new Ecosystem Security Team! PHP powers a massive portion of the modern web, and empowering maintainers with better security tooling and triage support is a critical mission. Great to have Volker Dusch leading the charge! 👇🛡️
The PHP Foundation Launches an Ecosystem Security Team https://lnkd.in/e4X46EXC
Alpha-Omega reposted this
We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities. Drupal is, and will continue to be, one of the most secure CMS platforms in the world. 🙌
The security audit for Paramiko is complete. Paramiko provides a widely used Secure Shell implementation for Python. Countless projects rely on this library to establish secure connections. We funded this audit to identify vulnerabilities and support the maintainers in strengthening this essential component. We extend our sincere gratitude to Jeff Forcier, Derek Zimmer, Amir Montazery, Open Source Technology Improvement Fund, Inc (OSTIF), Dahmun Goudarzi, Julio Loayza Meneses, Alan Marrec, Pauline SAUDER, and Quarkslab for their collaboration on this audit. We also thank Helen Woeste for authoring the detailed blog post. Alpha-Omega protects society by catalyzing sustainable security improvements across open source software. Open source security requires shared responsibility. This audit reflects our collaborative commitment to ecosystem resilience. Read the full audit results and learn about the specific improvements made to the Paramiko project. https://lnkd.in/eU7zwrwe
Alpha-Omega reposted this
Voila- the results of OSTIF's security audit of Paramiko! Thanks to the contributions of Quarkslab and Alpha-Omega, this project received custom security work reviewing Paramiko’s testing, building and CI systems, and cryptography. Read about our work on the Python implementation of the SSHv2 protocol at our blog: https://lnkd.in/d5Jmejkw #OSTIF #quarkslab #OpenSSF #paramiko #opensource
Alpha-Omega reposted this
Starting a new six-month job for The PHP Foundation. Projects like 𝐆𝐥𝐚𝐬𝐬𝐰𝐢𝐧𝐠, harnessing tools like 𝐌𝐲𝐭𝐡𝐨𝐬, have been created to help prepare software ecosystems for this accelerating wave of security vulnerability reports. The challenge is to figure out how to address these reports, ensuring that credible ones get acted upon while filtering out the noise early. A massive personal thank you to Nils Adermann who has been instrumental in securing funding for these efforts from Alpha-Omega and The Linux Foundation. The amount of volunteer work he does to support the PHP ecosystem is astonishing and seeing his diligent and effective work the last couple of weeks was impressive. Happy that with the fast and responsive support from Elizabeth Barron and her leadership in The PHP Foundation to get this off the ground quickly. Looking forward to collaborating on improving security posture in our ecosystem's open-source projects, shared tooling for analyzing the security of PHP projects, but also tooling to automatically verify the veracity of vulnerability reports. I wouldn't be able to do this without the support from everyone at Tideways GmbH making sure my work there is covered. Deeply grateful to Benjamin Eberlei personally for giving me the time and opportunity to work on this. Check out the full announcement here: https://lnkd.in/dUnuYDDC and get in touch if you're interested.
Alpha-Omega reposted this
I just saw one of the excellent keynotes at OpenSSF Community Day, and it was such an important reminder of the importance of supporting the software ecosystems we all depend on. Mike Fiedler from the Python Software Foundation walked us through a real supply chain attack on PyPI, a man-in-the-middle phishing campaign that compromised package maintainer credentials and slipped malware into num2words, a transitive dependency of Hugging Face Transformers (30M downloads/day). The attacker didn’t need to breach PyPI directly. They registered a lookalike domain, built a proxy, and sent emails that looked exactly like official PyPI comms. Four maintainers clicked through. That was enough. A not so fun fact: TOTP (those 6-digit codes we all use) offered zero protection here. The proxy just passed them through in real time. WebAuthn, a protocol that binds authentication to the actual domain, could have stopped it. Of the maintainers who clicked, the ones benefiting from other protections like WebAuthn were not compromised. Also worth noting: the only reason PyPI had a coordinated incident response at all was Alpha-Omega funding. Without it, this falls on already overstretched maintainers. The arms race is real. The humans in the loop still matter enormously. If you maintain packages anywhere, like PyPI, npm, RubyGems, look into Trusted Publishing and WebAuthn. #OpenSSF #SupplyChainSecurity
Alpha-Omega reposted this
As #eBPF becomes the standard for high-performance networking, observability, and security, the integrity of its runtime is paramount. The eBPF Foundation has shared an update on ongoing efforts to strengthen the security posture of the technology through comprehensive audits and runtime hardening. Read the full security progress report: https://bit.ly/4uelrPF
Alpha-Omega is funding the The PHP Foundation to establish a new Ecosystem Security Team. This initiative aligns with our mission to catalyze sustainable security improvements across open source software. By funding dedicated security leadership roles, Alpha-Omega empowers maintainers to strengthen the core digital infrastructure on which global technology depends. Volker Dusch will lead this work, focusing on a collaborative security posture for the entire PHP community. Open source security is a shared responsibility that requires sustained, collective investment. Read more about this partnership https://lnkd.in/eBxpE-bs
Alpha-Omega reposted this
Beyond a certain scale of problem or task, the only useful question is "how much attention should we apply to what?" As Alpha-Omega and many others are leaning into to the tsunami of vulnerabilities and overloaded projects, answering that question become primal. Once again, Andrew Nesbitt has eloquently captured this on his blog: https://lnkd.in/e3tjJ3Pr How timely then to see Andrew's latest work for Alpha-Omega: https://lnkd.in/em9mnjg3
Alpha-Omega reposted this
This talk from Andrew Nesbitt grows more and more important as the days go on... it's a must watch! #Python #PyPI #PyConUS #PyConUS2026 #security #oss #opensource #supplychain
💡 Security Track Spotlight: GitHub Actions powers most Python CI, but it also introduces supply chain risks. In his talk “GitHub Actions Security in Python Packages” at #PyConUS 2026 Andrew Nesbitt shares findings from scanning thousands of workflows and practical ways to harden Python package releases. https://lnkd.in/gz78VAD8 #security