Open source software runs nearly every business on the planet. It runs your payroll system, your customer database, your CI/CD pipeline, and probably the framework powering the page you're reading right now.
It is also, right now, being scanned for vulnerabilities by AI systems faster than any human team can respond.
That gap is why we built OASIS.
What OASIS Is
OASIS is an AppSecAI initiative developed in partnership with Dave Wichers, co-founder of the OWASP Top 10, and proposed through OWASP. The mission: mobilize the global AppSec community to deliver community-validated vulnerability fixes for the open source software the world depends on.
The backstory matters here. Dave Wichers has been part of AppSecAI's orbit since the beginning. Michael Cartsonis, AppSecAI's co-founder, has known Dave since kindergarten. The relationship ran through Contrast Security, where Bruce Fram served as founding CEO and Dave contributed to the original OWASP Java benchmark that AppSecAI has since extended. That history is what makes OASIS possible: it is not a vendor project dressed up as community work. It is a project built by people who have been in the AppSec community for decades, working with the person who helped create the OWASP Top 10 itself.
The model is worth understanding in detail because it is genuinely different from anything the industry has tried before.
AI generates candidate fixes for known vulnerabilities in open source codebases. AppSec professionals join as Validators and review those fixes in short, focused sessions. Validated fixes go back upstream as community-vetted contributions to open source maintainers.
Three things make this work where other approaches have failed. First, it uses AI for what AI is good at: generating candidate fixes at scale without the triage overhead that has historically made open source vulnerability remediation unsustainable. Second, it keeps humans in the loop at the validation step, which is exactly where human judgment matters most. Third, it turns the AppSec community itself into the engine, distributing the work across practitioners who already have the expertise and now have a five-minute path to applying it.
This is not a corporate bug bounty program. It is not another vendor asking open source maintainers to absorb more work. It is the AppSec community organizing to actually fix the problem.
Why the Timing Matters
The open source vulnerability problem is accelerating in both directions simultaneously.
On the discovery side, AI-powered tools are finding vulnerabilities in widely used open source codebases faster than ever before. Anthropic's Claude discovered over 500 high-severity zero-days across production open source codebases. AISLE found every CVE in OpenSSL's January 2026 coordinated release. Autonomous systems are scanning millions of lines of code at costs that make continuous testing economically viable for the first time.
On the remediation side, nothing has fundamentally changed. According to the 2026 Veracode State of Software Security Report, the median time to fix a vulnerability is still 243 days. 82% of organizations carry security debt. Third-party open source flaws have a remediation half-life of 358 days. The Sonatype 2026 State of the Software Supply Chain Report found that there are now over 1.2 million malicious packages in the open source ecosystem, with 454,648 new ones discovered in 2025 alone.
The velocity of discovery is outrunning the capacity to fix. SAST and DAST tools have given organizations visibility into the problem for years. Visibility without remediation capacity is just a longer list of things that aren't getting done.
OASIS changes the denominator on the fix side by multiplying the number of qualified humans contributing fixes.
Why We Built It
We built AppSecAI on one core belief: fixing vulnerabilities is harder and slower than finding them, and that gap is where breaches happen.
Our triage automation removes false positives from SAST scans at 97% accuracy. Our fix automation generates validated code fixes in 42 seconds. Human review of those fixes averages 8.2 minutes. We designed this because the manual alternative, the $5,000 to $20,000 per-vulnerability remediation process that has been the industry standard, simply does not scale to the volume of findings that modern applications generate.
OASIS applies the same logic to open source: AI does the fix generation, AppSec professionals do the validation, trusted contributions flow to maintainers. The work is distributed, the quality is maintained, and the output is something maintainers can actually use rather than another flood of AI-generated noise.
We built OASIS because open source is in nearly every enterprise codebase we work with. The security of those dependencies is not someone else's problem. It is our problem, and it is yours.
How to Get Involved
OASIS needs AppSec professionals to join as Validators. Five minutes a week. Real impact on the software that runs the world.
If you secure software for a living, this is one of the most direct ways to apply your expertise beyond the walls of your current organization.
Learn more and register at owasp-oasis.org.
_
AppSecAI automates vulnerability remediation (triage and fix) with 97% triage accuracy and an average human review time of 8.2 minutes per fix. Pay per fix, not per scan. Learn more here.