Add Alpha-Omega Q4 Update

TI-reports/2024/2024-Q4-Alpha-Omega.md

@@ -0,0 +1,101 @@
+# 2024 Q4 Alpha-Omega
+
+## Overview
+
+The Alpha-Omega Directed Fund continues our mission, to catalyze sustainable security improvements to the world's most critical
+open source projects and ecosystems. We do this by applying funding and influence in four key areas:
+
+* Staffing dedicated security roles within critical ecosystems/foundations
+* Funding work to improve security for artifact repositories / package registries
+* Funding security audits and remediation, often as a precusor to additional work
+* Experimentation
+
+### Recent Updates
+
+We publish monthly updates at <https://alpha-omega.dev/resources/reports>, including highlights from our
+engagement partners. We also collect more detailed status updates from each our engagement partners at
+<https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/>.
+
+In addition, we can offer the following recent updates:
+
+* **Alpha-Omega Roundtable**: We held a roundtable for Alpha-Omega partners and friends at the Open Source Summit
+  in Vienna. We had a lively discussion on many topics, including end-of-life transitions for open source projects,
+  and how to better market our successes to drive awareness and further investment.
+
+* **AI Library Reviews**: The security audit of 25 of the most popular AI libraries has wrapped up, and we're currently
+  discussing next steps, and will share details when we're able to.
+
+* **Engagement**: We recently expanded our engagement with Node.js to cover OpenJS, started an engagement with
+  Trail of Bits of improve PyPI's project-level lifecycle functionality, and kicked off a new type of engagement ("Beach Cleaning")
+  with Apache Airflow and its 700+ dependencies. We also renewed funding for the ClangBuiltLinux project, and kicked
+  off work to bring Content Security Policy (CSP) to Jenkins, which will better protect Jenkins infrastructure from vulnerable plugins.
+  Details about each of these engagement are available in our GitHub repository.
+
+## Objectives & Key Results
+
+All of our OKRs are on-track except for KR 2.1.
+
+|Key Result|Status|
+|-|-|
+|**O1: Catalyze trustworthy and secure software, runtimes, and infrastructure for all the major open source ecosystems through staffing**||
+|KR 1.1: Fund security improvements and initiatives for at least ten critical open source organizations by the end of 2024. |On target|
+|KR 1.2: For each engagement, confirm progress toward improved security outcomes, evidenced through initial and/or follow-on assessments, monthly reporting, and periodic check-ins.|On target|
+|KR 1.3: Drive the organizations we work with to obtain security funding from at least one organization other than Alpha-Omega, targeting 33% by the end of 2024.|On target|
+|KR 1.4: Organize quarterly roundtables for at least 5 major ecosystems  to share information, build connections, and collaborate, resulting in at least one new project or joint publication started in 2024.|On target|
+|**O2: The top 10,000 open source projects are free of critical security vulnerabilities**||
+|KR 2.1: Drive adoption of key security processes, including static analysis, credential scanning, the use of private vulnerability disclosures, structured metadata (Security Insights) and the use of multi-factor authentication by maintainers of 500 critical projects from the top 10,000 by the end of 2024.|Not Started|
+|KR 2.2: Independently scan, triage, and notify maintainers when critical vulnerabilities are found in 2,000 projects, chosen from the top 10,000 by the end of June 2024, with emphasis on clearing a "section of the beach" by focusing on the top PyPI packages.|On target|
+|KR 2.3: Publish in a machine readable format the attestations for all packages from 2.2 that returned no vulnerabilities and those that found vulnerabilities which were subsequently fixed and verified.|On target|
+|**O3: Enhance Alpha-Omega's effectiveness in driving security improvements through deliberate innovation and experimentation**||
+|KR 3.1: By the end of 2024, run three experiments to explore new strategies for reducing security risk within the open source ecosystems, share the results/learnings, using them to refine our overall strategy and objectives for 2025.|On Target|
+|**O4: Run an operationally efficient and effective program**||
+|KR 4.1: Allocate at least 85% of our yearly spend to activities directly in support of our mission.|On Target|
+|KR 4.2: Receive at least $5 million in renewed funding in 2024.|Completed|
+|KR 4.3: For each partner engagement, at least 70% of the objectives defined within the respective agreement are met within the defined time period.|On target|
+
+### Purpose
+
+To catalyze sustainable security improvements to the world's most critical open source projects and ecosystems.
+
+### Current Status
+
+We're active and healthy. Our team consists of Henri Yandell (Amazon Web Services), Bob Callaway (Google), and Michael Scovetta (Microsoft), 
+supported by Michael Winser (independent) and Michelle Martineau and Tracy Li from the Linux Foundation.
+
+We've received $5M in funding in 2024 and are on target to spend over $6M by the end of the year. 
+
+
+### Up Next
+
+We'll be at the Linux Foundation Member Summit next week, sponsoring a Happy Hour for OpenSSF Governing Board and TAC
+on 11/17 from 5-6 PM at the Mansion Bar & Terrace (at the Silverado Resort). We hope to see you there.
+
+We continue to hold monthly public meetings (on the OpenSSF community calendar).
+
+Our 2024 Annual Report will be published in early January 2025.
+
+Some key opportunities to engage:
+
+* Our next monthly report is due out around July 5th.
+* Our next roundtable (for grant recipients and selected guests) will be held on July 25th.
+* Our next public meeting will be held on August 7th.
+* We'll have a roundtable at Open Source Summit EU in September and are planning to attend the LF Member Summit.
+
+### Questions/Issues for the TAC
+
+No, but as always, we're eager for substantive discussion with TAC and others.
+
+## Additional Information
+
+Here's a selection of recent news and blogs referring to Alpha-Omega's work and impact:
+
+* [Advancing Security: Jenkins Content Security Policy (CSP) Project Progress](https://www.jenkins.io/blog/2024/11/01/jenkins-csp-project-update/)
+* [Node.js Security Progress Report: Microsoft’s Participation on Node.js Policy Integrity](https://openjsf.org/blog/latest-updates)
+* [Alpha Omega Foundation Content Security Policy Grant](https://www.jenkins.io/blog/2024/10/04/content-security-policy-grant/)
+* [Seth Larson: Python and Sigstore](https://sethmlarson.dev/python-and-sigstore?utm_campaign=rss)
+* [Why Your Open Source Project Should Prioritize Security: Lessons from FreeBSD's Proactive Approach](https://freebsdfoundation.org/blog/why-your-open-source-project-should-prioritize-security-lessons-from-freebsds-proactive-approach/)
+* [Talk: "Here Is a Clean Section of the Beach" - Proactively Auditing Open Source Dependencies and Letting End Users Know - Munawar Hafiz, OpenRefactory & Michael Winser, Alpha-Omega](https://www.youtube.com/watch?v=pzJ6uQeR5a4&ab_channel=TheLinuxFoundation)
+* [Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega](https://blog.packagist.com/composer-2-7-7/)
+* [Talk: State of Python Supply Chain Security](https://www.youtube.com/watch?v=1NWbFcL4-P0&ab_channel=PyConUS)
+* [Talk: Security United: ecosystem with Alpha-Omega, PSF & ASF - Airflow Summit 2024](https://www.youtube.com/watch?v=f6gfoVJXWEE&ab_channel=ApacheAirflow)
+* [Delving Into the Risks and Rewards of the Open-Source Ecosystem](https://www.informationweek.com/software-services/delving-the-risks-and-rewards-of-the-open-source-ecosystem)