By Helen Woeste, Operations and Communications Manager of OSTIF
As we approach the halfway point of 2026, we’re checking in with Alpha-Omega and our community. Diving in, this blog will highlight the ongoing collaboration between OSTIF and Alpha-Omega, published work released this quarter together, and upcoming engagements. This year has been one of record-breaking productivity for us, having brought on a full-time project manager, Tom Welter, and working around the clock on AI developments in cybersecurity.
OSTIF Executive Director Derek Zimmer and Managing Director Amir Montazery attended the Alpha-Omega roundtable in Minneapolis last month, getting the chance to talk directly with our partners in open source software security about the rest of the year ahead. As Alpha-Omega mobilizes to address and resolve the growing debt of reported vulnerabilities, OSTIF too is working to create actionable and sustainable solutions for maintaining open source in the age of AI.
At the same time, we’re working with Alpha-Omega to bring security outcomes to projects critical to our digital infrastructure. OSTIF work published this quarter includes:
- Paramiko: Custom security review of project’s testing, build, CI systems, and and cryptography.
- Requests: Custom security review of the project’s code, testing, and documentation.
- Cachecontrol: Custom security review of the project’s code, testing, and documentation.
- Urlib3: Custom security review of the project’s code, testing, and documentation
- AIxCC Competition: 2-year DARPA AI security competition vulnerability verification and disclosure.
There’s plenty up ahead this year. Our industry is reckoning with the speed of AI disclosures and the weight it is placing upon already undersupported maintainers. We’ve partnered with Alpha-Omega to identify and work on projects used in AI but also across the digital landscape as well as retain a supply-chain security expert (OpenSSF and Carabiner’s Adolfo Veytia) to harden the other aspect of open source under attack in the past year. Upcoming work includes:
- Supply Chain hardening by Adolfo García Veytia: Contract security work improving release and development practices in critical projects.
- Ongoing AIxCC/DARPA Program: Leveraging the work done by AIxCC teams and continuing ongoing discovery, verification, and disclosure of findings.
- AI Use in Security Research Policy: We’re setting the record straight with how our organization leverages AI in our engagements. Keep an eye out in July for this release to learn more about how OSTIF’s security teams are transparently implementing AI assistance in security work. This document will function as a living reference and repository of best practices for security firms working in a new era of AI-assisted open source security.
- Five (5) security audits/engagements currently underway: A variety of open source projects undergoing custom security work.
As we move into the back half of 2026, there’s a lot of work to be done. There’s new challenges to our industry with the introduction of widespread AI to open source cybersecurity, increasingly elegant and long-term exploits, and social engineering being leveraged against maintainers. OSTIF’s mission to improve and assist in the ongoing maintenance of open source’s security becomes even more important to us and by extension the friends, family, and communities globally relying on open source.
Follow OSTIF’s work and mission on our webpage or reach out to us directly!
Author Bio
Helen Woeste joined OSTIF in 2023, coming from a decade of work experience in the restaurant and hospitality industries. With a passion (and degree) for writing and governance structures, Woeste quickly transitioned into an operations and communications role in technology.
