AWS and Others Invest $12.5M to Defend the Open Source Ecosystem from AI Threats

AWS, Anthropic, Google, Microsoft, and OpenAI today announced a joint $12.5 million investment with the Linux Foundation to help open source projects address a surge in AI-enhanced and AI-generated security vulnerability reports. Both the Alpha Omega initiative and the Open Source Security Foundation (OpenSSF) will receive funding through the Linux Foundation grants.

Software security is at a critical juncture in which foundation models are beginning to outpace security researchers in their ability to find bugs in critical code. Anthropic reported last month that its latest Claude Opus 4.6 model, for example, found and validated more than 500 high-severity vulnerabilities in open source projects in an initial round of research.

With this new funding, building on past multi-million dollar commitments of AWS, Google, and Microsoft to Alpha Omega, we will provide tools, automation, and resources to help open source maintainers quickly validate and remediate legitimate vulnerabilities while filtering out low-quality submissions. The investment builds on Alpha Omega’s proven track record of strengthening open source security across ecosystems over the past four years.

Together with Alpha Omega members, the Linux Foundation, the OpenSSF, and the broader open source security community, we seek to ensure that the same AI capabilities creating new challenges will also build more robust defenses for the software supply chain that powers global digital infrastructure.

AI Increasingly Finds Vulnerabilities in Open Source Projects

Producing security-related bug reports was once painstaking work that used specialized tools to conduct application fuzzing and pen-testing, validating and reporting issues, and remediating vulnerabilities, a process often taking many months if not longer. This process has now become a race against the clock to outpace potential threat actors who have equal access to powerful AI models that identify potential exploits, using widely available generative AI tools.

Open source maintainers have also raised alarms that AI-generated bug reports are overwhelming their ability to review them. Many of the reports are of very low quality—a reality given rise to the new industry term “AI slop.” Many projects have already elected to put guidelines in place for AI submissions, while others have shut down upstream contributions entirely to prevent a flood of AI-generated pull requests.

Whether AI is finding legitimate vulnerabilities or submitting slop reports, the need to respond quickly and at scale is fast becoming an industry-wide issue. While projects need to patch their code, the responsibility cannot and should not fall entirely on overwhelmed maintainers.

AWS, Open Source, and Artificial Intelligence

As the world’s leading cloud provider, and a company that has invested deeply in open source supply chain security, tooling, and best practices, AWS will step up to help address the new security challenges that come with ubiquitous AI. AWS adopts, contributes to, and releases core technologies as open source, like countless companies, to build and run our cloud services. Secure open source projects are the foundation on which we deliver the cloud services that power our customers’ next great AI-enabled innovations.

AWS already provides a number of valuable tools and technologies for building and maintaining advanced AI systems. The Amazon Bedrock service for secure model hosting and the Amazon Bedrock AgentCore framework provide a rich set of building blocks for advanced, secure agentic applications. These capabilities include a secure, isolated compute platform for agents based on Firecracker, IAM and OAuth-based identity management, centralized tool access mediated by AgentCore Gateway and a Cedar-based policy engine, and rich observability and evaluation capabilities. Kiro leverages the power of frontier AI models, bringing structure to AI coding with specification-driven development, backed by AWS security best practices.

Amazon’s Frontier Agents provide not only automated software development but Security and DevOps agents to provide more comprehensive AI support for the software development and deployment lifecycle. With our additional investment in Alpha-Omega, we will help to extend the power of AI across the broader open source ecosystem.

Finding and fixing bugs

While AI-generated bug reports can create problems for open source projects, they are also invaluable for improving supply chain security. Never before have we been able to find and fix bugs at this speed or scale. We believe the same advanced models and tools that are finding the issues, can also be leveraged to fix them through better tooling and automation.

However, no single company can solve this problem, a problem that will increase as more advanced models are released. Industry leaders must work together to ensure remediation is done quickly and in a manner that helps open source maintainers sustain the health of their projects over the long term. In doing so, we are helping to secure the software supply chain for everyone.

To this end, AWS has joined with Alpha Omega platinum members Google, and Microsoft, as well as new members Anthropic and OpenAI, to announce an additional $12.5 million in funding. The $2.5 million investment from AWS is part of a larger pool of funds earmarked specifically to help open source projects, and the maintainers who work on them, to more quickly fix security vulnerabilities. With this new funding, Alpha Omega aims to provide tools, automation, training, and other resources that will help open source projects keep pace with the rate at which foundation models are reporting new vulnerabilities.

Alpha Omega has improved open source security

For the past four years, Alpha Omega has provided grants to open source projects and foundations to fund security improvements. These improvements include things such as hiring full-time security engineers, conducting security audits, improving release tooling, and much more. Through Alpha Omega, the investing companies can work together, and with project maintainers and others in the open source security community to make sure the funds go to the most critical projects and initiatives.

The organization, which is housed inside the OpenSSF at the Linux Foundation, has already achieved significant security improvements that affect entire ecosystems. Over the past four years, Alpha Omega has delivered security reports, mediated vulnerabilities, and forged partnerships with organizations such as the Internet Security Research Group, Apache Software Foundation, Rust Foundation, Python Software Foundation and Eclipse Software Foundation.

As the result of Alpha Omega’s funding in 2025, for example, the Rust Foundation fully deployed Trusted Publishing on crates.io and became an official CVE Numbering Authority. Node.js fixed two high-severity vulnerabilities. The Python Software Foundation enhanced PyPI’s malware detection and account security. The FreeBSD Foundation improved third-party software security in FreeBSD’s base system, successfully upgrading OpenSSL from 3.0 to 3.5 LTS (extending support until 2030). The Eclipse Foundation addressed vulnerabilities in OpenVSX.

AWS is committed to working with the other Alpha Omega members and the projects they fund to help solve the issues arising from emerging AI technologies and unknown challenges in the future.  We hope you’ll join us. Visit https://alpha-omega.dev/ for more information on the project and its initiatives and to get involved.