Major AI companies commit $12.5m to tackle open source security crisis they helped create
TL;DR: The Linux Foundation has announced $12.5 million in grants managed by Alpha-Omega and OpenSSF to strengthen open source security. Seven AI companies including Anthropic, Google, Microsoft and OpenAI are funding the initiative. The grants aim to help maintainers cope with a surge in AI-generated security reports, many of which are fabricated or low quality.
The Linux Foundation is directing $12.5 million toward helping open source maintainers deal with a problem that AI companies are partly responsible for creating: a flood of automated security reports that are overwhelming the people who maintain the software the entire industry depends on.
The funding will be managed by Alpha-Omega and the Open Source Security Foundation, two Linux Foundation initiatives focused on software supply chain security. Contributors include Anthropic, AWS, Google, Google DeepMind, GitHub, Microsoft and OpenAI.
The problem AI created
AI tools have made it trivially easy to generate security vulnerability reports, whether or not those vulnerabilities actually exist. Open source maintainers, many of whom work on a volunteer basis, are now receiving reports at a volume they cannot realistically process.
The cURL project provides the clearest example. Its bug bounty programme on HackerOne was hit with a wave of AI-generated submissions through 2025. These were not genuine vulnerability findings but unresearched reports that submitters had clearly produced with AI tools and submitted without understanding what they described.
cURL creator Daniel Stenberg attempted to deter submissions by threatening to publicly name and ban anyone submitting AI-generated reports. It did not work. By January 2026, the project had received 20 such submissions in the first few weeks alone, and Stenberg shut the bug bounty programme down entirely.
Practical support, not just funding
The grants are designed to go beyond writing cheques. Alpha-Omega and OpenSSF plan to work directly with maintainers to develop security tooling that fits existing project workflows rather than imposing new processes. Linux kernel maintainer Greg Kroah-Hartman noted that grant funding alone will not solve the problem; the value lies in the active resources OpenSSF can provide to help overworked maintainers triage and process the incoming volume.
Looking forward
The irony is hard to miss: the companies building the AI tools that generate these problematic reports are now funding the effort to mitigate the damage. For UK organisations that depend on open source software, which is effectively all of them, the initiative is a welcome step. But whether $12.5 million and better tooling can match the scale of an AI-accelerated problem remains to be seen.