GRANT RECIPIENTS

OpenJS promotes the widespread adoption and continued development of key JavaScript technologies worldwide.

Open JS was granted $580,000 for the purpose of advancing security skills and processes among the contributor and implementer communities to strengthen the JavaScript ecosystem broadly and provide direct support to the most critical projects in the OpenJS project portfolio.

Rust is a multi-paradigm, high-level, general-purpose programming language. Rust emphasizes performance, type safety, and concurrency.

Rust was granted $460,000 for the purpose of building upon the foundation laid down in 2023, particularly with regard to implementing security solutions and best practices across the entire ecosystem.

The Linux Kernel is the beating heart of an ecosystem that drives our modern world. It powers communications infrastructures, supports economic activities, manages production lines, and facilitates the functionality of billions of IoT devices and smartphones worldwide. The Linux Kernel directly or indirectly affects the lives of billions of people around the world, and is instrumental in sectors ranging from telecommunications to manufacturing to finance.

Linux Kernel was granted in 2024 for the purpose of clang and hardening the Linux kernel.

The Eclipse Foundation is the leading open source foundation in the Java ecosystem, in addition to hosting significant projects in other areas such as developer tools, IoT/edge and automotive.

Eclipse was granted $900,000 for the purpose of continuing to implement Supply chain Levels for Software Artifacts (SLSA) across Eclipse Foundation projects.

Cure53 offers penetration tests for online services, security analysis and architectural advice, and training and consulting.

Cure53 was granted $43,000 for the purpose of providing input for the project to remedy reported problems and to increase the overall safety of the package manager.

FreeBSD–the operating system and the global community that develops it–has a reputation gained over 30 years for reliability, stability, and security.

FreeBSD was granted $137,500 for the purpose of focusing on two projects: : a Code Audit of up to two key subsystems and a development Process Audit.

As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications.

Node was granted $300,000 for the purpose of maintaining a security support resource to improve vulnerability management and dependency management.

A scope focusing on Python projects. OpenRefactory will collect the top 10,000 projects from PyPI based on the number of downloads over the last year. In addition, generating attestations, and working with Python Software Foundation to create a mechanism that end users can consume the results.

OpenRefactory was granted $220,000 for the purpose of reporting security vulnerabilities at scale in open source projects and working with the maintainers to get those vulnerabilities fixed.

RubyGems is the package management system for the Ruby programming language, used by every Ruby developer and company to create, share, and use gems (Ruby packages). The focus is to improve security for the Ruby language package ecosystem.

RubyGems was granted $250,000 for the purpose of conducting a security and process audit of the RubyGems.org servers, project, and processes, and remediating any issues discovered.

The Open Source Technology Improvement Fund (OSTIF) is a corporate non-profit dedicated to securing open source apps that we all depend on. Securing software isn’t easy, and we know what it takes to succeed. By facilitating security audits and reviews, OSTIF makes it easy for projects to significantly improve security.

OSTIF was granted $300,000 for the purpose of conducting threat modeling, code review, and vulnerability reporting and management for 25 open source projects.

Prossimo is an Internet Security Research Group (ISRG) project. Their mission is to move the Internet’s security-sensitive software infrastructure to memory safe code and to change the way people think about memory safety.

ISRG was granted $780,000 for the purpose of creating a suite of Rust media decoders and compression libraries that are safer without sacrificing performance, maintaining Rust as a supported second language for Linux kernel development, and fostering the creation of drivers and modules written in Rust.

Trail of Bits provides technical security assessment, engineering consulting, and advisory services to some of the world’s most targeted organizations. They combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

Trail of Bits was granted $192,400 for the purpose of improving PyPI’s project-level “lifecycle” functionality, including implementing and improving key features related to PyPI’s project deletion, project uploading, and project “status” handling.

The Python Software Foundation is the organization behind the open source Python programming language. It is devoted to creating the conditions for Python and the Python community to grow and thrive.

They Python Software Foundation was granted $160,000 for the purpose of continuing the Security Developer-in-Residence role to focus the Software Bill-of-Materials strategy for Python packages, CPython release process and SBOMs for macOS artifacts, and Python Security Response Team process improvements.

The Eclipse Foundation is the leading open source foundation in the Java ecosystem, in addition to hosting significant projects in other areas such as developer tools, IoT/edge and automotive.

In 2022 The Eclipse Foundation was granted $400,000 for the purpose of automation and implementation of security best practices to its hosted projects.

As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications.

In 2022 Node.js was granted $275,000 for the purpose of implementing a Security Support Role.

The mission of OpenRefactory is to use artificial intelligence to verify that digital systems are free of critical bugs and vulnerabilities that expose organizations to significant financial and reputational risk.

In 2023 OpenRefactory was granted $50,000 for the purpose of reporting security vulnerabilities at scale in open source projects and work with the maintainers to get the vulnerabilities fixed

Prossimo is an Internet Security Research Group (ISRG) project. Their mission is to move the Internet’s security-sensitive software infrastructure to memory safe code and to change the way people think about memory safety.

In 2023 ISRG was granted $530,000 for the purpose of moving the most critical software on the Internet to memory safe code.

OpenSSL is a globally distributed cryptography library touching nearly every industry in the world.

In 2023 OpenSSL was granted $127,000 for the purpose of assessments that will be performed by teams of Trail of Bits security consultants for a total of eight engineer-weeks of effort. The secure code review, including fuzzing enhancements, will be performed over a four calendar-week period, for a total of eight engineer-weeks.

Homebrew is the predominant package manager for macOS, with millions of daily users and hundreds of active contributors. Homebrew is also widely used on Linux and preinstalled on GitHub Actions’ hosted runners.

The goal of this project is to add province and package signing to the ecosystem.

The Eclipse Foundation is the leading open source foundation in the Java ecosystem, in addition to hosting significant projects in other areas such as developer tools, IoT/edge and automotive.

In 2022 The Eclipse Foundation was granted $550,000 for the purpose of automation and implementation of security best practices to its hosted projects.

jQuery is a fast, small, and feature-rich JavaScript library. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers. With a combination of versatility and extensibility, jQuery has changed the way that millions of people write JavaScript.

In 2022 JQuery was granted $350,000 for the purpose of securing the consumer web, reducing potential security incidents for jQuery by modernizing its consumers and its code.

As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications.

In 2022 Node.js was granted $300,000 for the purpose of implementing a Security Support Role.

The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.

In 2022 Python was granted $400,000 for the purpose of funding a security audit and the creation of a new Security Developer-in-Residence role.