Schneier blogged the $10m in grants to the LF’s new Open Source Security Foundation, which got me thinking about it again.
Last I checked, the plan for the money was essentially in-house projects of the LF. Pick a couple hundred key projects and vet them by hand. Develop some broad-scale scanning tools and run those on the rest of open source.
There are some stray mentions of “training” or similar work on the maintainers. But overall, my strong impression was this is another LF-centralized effort at doing security unto maintainers, rather than supporting them to do it themselves.
Celebrating this as a big number also feels kind of goofy, begging dollars-to-dollars comparisons that don’t really flatter. $10m is a big headline number for an open source initiative. It certainly blows the big numbers from donation- and sponsorship-supported projects away. But it’s also less than the median Series A venture financing amount for a startup in Q2 2021. The average A funds-raised amounts I see elsewhere run much higher, like $20m+.