The Linux Foundation has announced $12.5 million in grants to strengthen open source software security. The funding will be managed by Alpha-Omega and the Open Source Security Foundation (OpenSSF), two of its security-focused initiatives.
The idea behind this move is to tackle the growing problem of AI tools generating security findings (both legit and hallucination ones) at a scale open source maintainers simply cannot keep up with.
We already know that many open source projects don't have the resources or tooling to handle such a flood of reports. Combined with the other development-related issues they have to tackle, a project could be in real trouble if they are overwhelmed with AI slop.
Alpha-Omega and OpenSSF plan to work directly with maintainers to make sure whatever security tooling comes out of this is actually practical and fits into how their projects already work. The goal is to help them stay on top of growing security demands without getting completely buried.
The AI giants who have pitched in include the likes of:
- Anthropic
- AWS
- Google DeepMind
- GitHub
- Microsoft
- OpenAI
On this, Greg Kroah-Hartman, Linux Foundation Fellow and Linux kernel maintainer, said:
Grant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams. OpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.
This is not unfounded
Back in 2025, cURL's bug bounty program on HackerOne got hit with a wave of AI-generated reports. These were not real vulnerability findings, just a vomit of unresearched submissions that people were clearly generating with AI and sending off without actually understanding what they were reporting.
cURL's creator, Daniel Stenberg, initially tried to push back. He warned that anyone submitting AI slop would get publicly named, ridiculed, and banned. That did not really help. By January 2026, the project had already gone through 20 submissions in the first few weeks alone.
So, the cURL bug bounty program was shut down entirely. I am betting that the developers are putting all this saved effort and time into tackling more productive tasks.
Of course this funding grant does not fully remedy the problem of AI slop for open source projects, but it is at least a step in the right direction. These deep-pocketed AI giants need to do better, and hopefully this sets a precedent.
Suggested Read π: Linux Market Share Statistics
Abhishek Prakash
