Google expands funding and defender tooling for open source security in the AI era
Original: Our latest investment in open source security for the AI era View original →
Google moves from finding flaws to helping fix them
Google said on March 17, 2026 that it is expanding its investment in AI-powered open source security, arguing that the internet's dependence on open source software now requires stronger support for the people who maintain it. In the company's announcement, Google framed the effort as a shift from identifying vulnerabilities toward helping projects actually remediate them more quickly.
The most concrete commitment is funding. Google said that, as a founding member of the Linux Foundation's Alpha-Omega Project, it is collectively pledging $12.5 million alongside Amazon, Anthropic, Microsoft/GitHub and OpenAI. According to Google, the funding will be managed by Alpha-Omega and OpenSSF and is meant to help maintainers stay ahead of AI-driven threats, deploy fixes instead of only collecting reports, and get more advanced security tools directly into their workflow.
Google also tied the announcement to internal AI security systems it says are already proving useful. The post points to Big Sleep and CodeMender, two Google DeepMind-linked tools that Google says have helped identify and fix deep, exploitable vulnerabilities in complex software, including Chrome. The company also said it is extending research efforts such as Sec-Gemini to open source projects, signaling that it wants AI-based security assistance to move beyond internal use and into shared infrastructure for maintainers.
The broader significance is operational. As generative AI expands code generation, dependency reuse and automated vulnerability discovery, the bottleneck shifts toward triage and patching. Google is treating funding, maintainer support and AI-assisted remediation as one problem rather than three separate ones. For developers and organizations that rely on open source, that matters because weaknesses in widely used libraries can now propagate faster in both directions, with attack surface and defensive capacity rising at the same time.
Primary source: Google.
Related Articles
Linus Torvalds has warned that AI-powered vulnerability discovery tools are flooding the Linux kernel security mailing list with duplicate reports, creating what he calls 'unnecessary pain and pointless work.' He argues that AI-detected bugs are by definition not secret, and urges researchers to contribute patches rather than bare reports.
Google's Threat Intelligence Group detected the first confirmed AI-authored zero-day exploit in the wild—a Python script bypassing two-factor authentication in a popular open-source web admin tool, intercepted before criminals could launch a mass exploitation campaign.
Archestra faced a deluge of AI-generated low-quality contributions: 253 bot comments on a single bounty issue, 27 untested PRs for one feature request. Their solution combines contributor onboarding verification with Git's --author flag to create a barrier that distinguishes AI-assisted human contributions from pure bot spam.
Comments (0)
No comments yet. Be the first to comment!