Six large technology companies, including Anthropic, AWS, GitHub, Google, Microsoft and OpenAI, recently jointly provided a total of US$12.5 million in funding to projects related to the Linux Foundation, aiming to help free and open source software (FOSS) project maintainers cope with the pressure of "water-filled" security vulnerability reports generated by artificial intelligence tools.

The Linux Foundation pointed out in the announcement that as the security situation becomes increasingly complex, AI technology is significantly increasing the speed and scale of vulnerability discovery in open source software. Maintainers are facing an unprecedented large number of security problem feedbacks, a considerable part of which are generated by automated systems, but lack the corresponding resources and tools to effectively classify, screen and repair them.

The funds will be used to support the Alpha-Omega project of the Linux Foundation, which focuses on open source supply chain security, and to jointly promote a new plan with the Open Source Security Foundation (OpenSSF). According to reports, the two organizations will work directly with project maintainers and their communities to make emerging security capabilities more accessible, more operable, and integrated into existing project workflows, while exploring sustainable strategies that will not only alleviate the growing security pressure on maintainers, but also enhance the resilience of the entire open source ecosystem.

Greg Kroah-Hartman, core maintainer of the Linux kernel project, admitted in comments published by the foundation that funding alone cannot solve all the problems that AI tools bring to open source security teams, but he also emphasized that OpenSSF already has the corresponding tools.resource, maintainers who are overwhelmed by AI-generated security reports can be supported through multiple projects, and such reports can be classified and processed more efficiently.

However, the Linux Foundation has not yet given further details regarding the specific technical path, implementation methods and timetable of this new plan.

It is not a new problem that AI-generated vulnerability reports occupy maintainers' energy. As early as the end of 2024, the Python Software Foundation publicly complained about a similar situation. Since then, the maintainers of the widely used open source data transfer tool cURL also announced the termination of the project's bug bounty program because they were unable to cope with the large number of AI-generated submissions and feedback.

Even GitHub, which is affiliated with Microsoft, has begun to seriously consider how to deal with the influx of AI-generated contributions and pull requests of worrying quality, and is exploring setting up some kind of "emergency brake" mechanism to prevent such noise from drowning the normal open source collaboration process.