Read Alpha-Omega’s blog post about this exciting news here: https://alpha-omega.dev/blog/an-ai-security-engineer-in-residence-for-the-rust-ecosystem/ Since 2022, the Rust Foundation has run a Security Initiative aimed at protecting and supporting the parts of the ecosystem that no individual maintainer can reasonably be expected to cover alone: threat modeling for crates.io and the wider Project, provenance and artifact signing, trusted publishing, and developing tooling such as Painter and Typomania for mapping dependencies and catching typosquats. That work has been made possible through support from member organizations like AWS and, in large part, through the support and funding of Alpha-Omega: a cross-industry initiative that funds dedicated security work across critical open source projects and ecosystems. To date, the Security Initiative has mostly concentrated on the registry and the Project’s own infrastructure.
While the type of security work we’ve been doing with the Project for the Rust ecosystem remains vital, the threats have expanded since then, and so has the kind of help maintainers need. Much of this comes back to a single shift: Automated tooling (much of it now built on large language models) has gotten good enough to surface real vulnerabilities in open source code quickly and at scale. That is useful, and several large Rust projects have already received and fixed credible issues found this way. The same tooling has also made it trivial to generate vulnerability reports that look plausible and are worthless. Maintainers across the ecosystem are losing real hours sorting these from the reports that matter, and the noise tends to bury the signal.
About the Position #
So, with funding from the Alpha-Omega Project, the Rust Foundation is bringing on a full-time AI Security Engineer in Residence dedicated to the Rust ecosystem. This position is being funded with part of the $12.5M in open source security funding that the Linux Foundation announced in March.
The role exists to take pressure off maintainers. The person in this position will use a mix of human-led and AI-assisted methods to proactively review Rust itself and the crates the ecosystem leans on most and help us separate real, exploitable issues from false positives and low-signal noise before anything reaches a maintainer. They will work closely with peers in other ecosystems, maintainers, including the Rust Project’s Security Response Working Group, to judge severity in context, help develop fixes, and coordinate responsible disclosure and release, with advisories published through the RustSec database where appropriate. They will also be a clear point of contact for inbound reports, including those arriving through initiatives like Project Glasswing, and act as an intermediary between researchers and maintainers when urgent and high-risk issues arise.
This role will run full-time for six months to start, with room to extend depending on what we learn and the funding available. Methods, playbooks, and prompts will be documented so the work doesn’t end with the contract.
We are grateful that Rust is not embarking on this work in isolation. Several other ecosystems have received parallel Alpha-Omega grants for the same kind of work (e.g., the PHP Foundation and the Drupal Association) and we plan to share tooling, triage practices, and what we learn rather than duplicating work
Meet Jacob Finkelman #
The Rust Foundation is delighted to share that Jacob Finkelman has been selected as our AI Security Engineer in Residence. Jacob has been on the Rust Project’s Cargo team since 2018 and maintains pubgrub-rs, the dependency resolver that powers uv. He knows the crate dependency graph about as well as anyone, and is well-positioned to work on the supply-chain risk that lives there. Hear from Jacob in his own words below:
Hi, I am Jacob Finkelman. I go by Eh2406 on the internet. I started using Rust in 2015 to speed up my Python code for data analysis. After contributing to the dependency resolver, I joined the Cargo Team in 2018. This means I’ve been around long enough to watch the community struggle and thrive through an enormous amount of growth and change. Every success we have achieved has only been possible through the tireless efforts of real people. We have overcome every obstacle when we focus on those people’s needs and how to support and empower them. One of our next challenges is the wave of bugs discovered by the next generation of AI-powered developer tools. I look forward to working with this community through the AI Security Engineer in Residence role at the Rust Foundation to come out of this challenge with better support for our people, while simultaneously improving the security and resilience of the software we produce.
Get in touch #
If you maintain a widely used crate and want it on our radar, let us know. We’re especially keen to hear from maintainers who have bandwidth to collaborate, and from people already working on Rust security tooling who want to compare notes.
[Blog](https://rustfoundation.org/media/category/blog/)