Half a dozen Big Tech players have together delivered $12.5 million in grants towards a project that aims to help maintainers of open source projects to cope with AI slop bug reports.<\/p>\n
\u201cAs the security landscape grows more complex, advances in AI are dramatically increasing the speed and scale of vulnerability discovery in open source software,\u201d explains a Linux Foundation announcement<\/a> about the initiative. \u201cMaintainers are now facing an unprecedented influx of security findings, many of which are generated by automated systems, without the resources or tooling needed to triage and remediate them effectively.\u201d<\/p>\n Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI have decided they want to help, by collectively chipping in $12.5 million to the project.<\/p>\n Alpha-Omega, the Linux Foundation project that works to improve the security of open source supply chains, will run the new effort alongside the Open Source Security Foundation (OpenSSF).<\/p>\n We\u2019re told the two organizations \u201cwork directly with maintainers and their communities to make emerging security capabilities accessible, practical, and aligned with existing project workflows.\u201d Further: \u201cThe effort will support sustainable strategies that help maintainers manage growing security demands while improving the overall resilience of the open source ecosystem.\u201d<\/p>\n The Linux Foundation\u2019s announcement includes a canned quote from Greg Kroah-Hartman of the Linux kernel project, which opens \u201cGrant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams.\u201d<\/p>\n Fear not, gentle reader, GKH didn\u2019t dump on this idea. The quote continues: \u201cOpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.\u201d<\/p>\n There\u2019s no word on exactly what this project will do, or when it will happen.<\/p>\n The problem of AI-generated bug reports overwhelming FOSS maintainers is not new. The Python Software Foundation complained<\/a> about it in late 2024. More recently, the maintainer of popular open-source data transfer tool cURL ended the project\u2019s bug bounty program due to difficulties caused by a flood of AI-generated contributions.<\/p>\n