I asked in a different thread:
Do we have a sense that projects like OpenBSD/OpenSSH, FreeBSD, ISC[1] and Apache were included in the "blessed" initial participants in Project Glasswing ?
Or is it big name tech companies, banks and fashionable languages and package managers ?
[1] Bind, DHCP
Probably? FreeBSD has had a large increase in security advisories the past couple months. More in the last two months than all of 2025 combined.
Those advisories all came from outside sources, most notably calif.io.
It's not clear to me that FreeBSD found any of them internally ...
Calif.io have access to Mythos Preview which they've used to find a macOS kernel memory corruption exploit on Apple M5: https://blog.calif.io/p/first-public-kernel-memory-corruptio...
It's probably the right approach to onboard a few independent security companies and task them with reviewing multiple OSS projects than it is to onboard each project individually.
“Oi, you got a loicense to make secure software there?”
I joke but that is the world we are moving towards. I don’t think many on HN have thought through the second and third order implications.