Abstract of Findings
The “Human Pipeline” is a Vulnerability
The OMP’s LFX Mentorship Program is its single biggest vulnerability. It’s a formalized, high-trust “golden ticket” that grants unvetted people direct entry to core initiatives and mentors from IBM, Broadcom, and SUSE. It’s a ready-made vector for a “mentee-to-malware” social engineering assault.
Safety is Dangerously Inconsistent
The OMP is a “impartial dwelling” for a set of self-governed initiatives. This “every-project-for-itself” mannequin means safety is all around the map. The Galasa venture has a strong, preventive examine to dam unknown code. The flagship Zowe venture doesn’t; it as an alternative depends on reactive scans after code is already within the pipeline.
It’s a “Black Field” Pipeline
The OMP’s safety practices are dated. They tout issues like SBOMs and the CII Finest Practices Badge. That’s nice, however the XZ attacker additionally had a CII badge. It’s safety theater. I discovered restricted proof of recent, cryptographic attestation. There’s no broad Sigstore artifact signing (to show who made it) and no SLSA construct provenance (to show the way it was made). Customers are flying blind.
Governance is Buried
The OMP’s “Root of Belief” isn’t {hardware}—it’s human fame. Belief is delegated to committees. And once I went to search out the precise guidelines for selling a contributor to a committer for key initiatives like Zowe and Galasa, I hit a wall. The recordsdata weren’t lacking, however they have been successfully hidden in non-standard repositories, making a “safety by scavenger hunt” drawback.
The report supplies an in-depth evaluation of those vulnerabilities and provides strategic suggestions to deal with them. Let’s get into it.
