Skip to content

Fundraising.Alpha‐Omega

Jump to bottom
Ben Ford edited this page Jun 12, 2025 · 1 revision
  • URL: https://alpha-omega.dev/grants/how-to-apply/
  • Applied on: March 3, 2025
  • Applicant: binford2k
  • Scope & goal: this grant will help us form a security response team and protocol. It may also help fund tooling to help improve the state of supply chain security in the Puppet ecosystem.

Status:

  • Email acknowledgment of proposal received on March 3.
  • Passed the weed-out round. Ben is now working on a SOW proposal and scheduling a meeting with their technical strategist.
  • They're concerned that helping us hire a team isn't sustainable; how will we continue to pay them after the grant runs out? Instead, they'd like to collaborate with Perforce to offer us a comprehensive security audit. Terms: they'd pay half, Perforce would pay half, the results would go to both Vox Pupuli and Perforce.
  • In order to take advantage of this, we would need a trusted team of security developers who can resolve issues while under embargo.
  • Coordinating meeting with Jake (p4) and Michael (A-O).

OpenVox (https://voxpupuli.org/openvox/) is an open source fork of the now fully commercial Puppet. As a configuration management tool, it is effectively root access to every system in an infrastructure. A vulnerability in a Puppet module or in OpenVox itself, could lead to automated full infrastructure compromise. A Puppet module is effectively a bundle of configuration content run with root privileges on every managed node. It can contain arbitrary executable code.

With that in mind, we are attempting to create a global security response team. This team will execute on our security response protocol by responding to security reports, issuing CVEs, communicating with other affected vendors, maintaining confidentiality, and managing tiger teams of open source engineers to fix exploitable flaws both in our own product and in the greater ecosystem of Puppet modules.

Along the same vein, we will be building tooling to automate vulnerability assessment for content in the ecosystem and a safe & responsible reporting mechanism.

Funding levels of ~$250k USD would provide us with

  • staffing in USA and EMEA, our two largest userbases
  • training for security staff and developers
  • developer time for basic tooling

Funding level of ~$375k USD would also provide us with

  • staffing in APAC for global coverage
  • developer time for advanced vulnerability reporting mechanisms

Governance and Organization

Special Interest Groups [SIG]

See the SIG process if you'd like to run a SIG.

Conference recaps

Clone this wiki locally