Issue #8: KDE funding, AI vulnerability pressure, and foundation homes

This week in Open Source Funded, European public-interest funding showed up in a big way: the Sovereign Tech Fund is investing more than €1.2 million in KDE over 2026 and 2027.

The other big theme was AI pressure on open source security. Maintainers, public-sector teams, vendors, and lawmakers are all trying to respond to a world where vulnerability discovery and vulnerability reporting can scale faster than triage capacity.

There was also plenty of governance activity: Zulip formed a nonprofit foundation, Block handed Goose to the Linux Foundation, Wikimedia joined the Digital Public Goods Alliance, and several organizations moved closer to Linux Foundation-hosted ecosystems.

Projects joining a foundation

Goose was donated by Block to the Linux Foundation, with governance connected to the OpenJS Foundation’s Cross Project Council — The New Stack, The New Stack canonical URL
Wikimedia Foundation joined the Digital Public Goods Alliance — Wikimedia Foundation
NextNav joined the Linux Foundation-hosted OCUDU Ecosystem Foundation — TMCnet, Business Wire

Zulip created a foundation

Zulip announced the Zulip Foundation, a new nonprofit home for the open source team chat project. The foundation is meant to support long-term governance, fundraising, and community stewardship around the project.

Source: The Zulip Foundation

Funding and sustainability

KDE received a €1,285,200 investment from the Sovereign Tech Fund for 2026 and 2027. The money will support reliability and security work across KDE Plasma, KDE Linux, core frameworks, and related infrastructure. The Register framed the funding as part of wider European interest in more sovereign desktop operating system options.

OpsMill raised about $14 million in Series A funding to expand Infrahub, its open source graph database platform for infrastructure data management.

The Software Sustainability Institute highlighted the launch of the Open Source for Science Fund, a multi-donor effort offering life-sciences open source software grants of up to $1 million.

depthfirst launched an Open Defense Initiative, committing up to $5 million in platform credits for selected open source projects to find and fix zero-day vulnerabilities.

Acquia launched a Fair Trade Initiative that directs 2% of eligible partner co-sell transactions to the Drupal Association.

Tether launched a developer grants program for work across its open technology stack, including local-first AI components and open source self-custodial wallet infrastructure.

Sources: Sovereign Tech Fund invests over €1 million in KDE software development, KDE bags €1.3M as Europe realizes it might need an OS of its own, OpsMill Announces $14M in Funding to Fix the Dirty Data Problem Blocking Enterprise AI Automation, Announcing the Open Source for Science Fund, depthfirst Commits up to $5M in Credits to Help Open Source Software Find and Fix Zero Day Vulnerabilities, Acquia Launches Fair Trade Initiative, Committing 2% of Every Eligible Partner Deal to the Drupal Association, Tether Launches Developer Grants Program to Fund Local-First AI and Payments Infrastructure

AI vulnerability discovery is straining maintainers

The pressure around AI-assisted vulnerability discovery kept spreading.

Turso retired its $1,000 data-corruption bug bounty after AI-assisted reports and disputes over payment made the company conclude that financial incentives no longer fit its open source contribution process. Metabase described a “strip mining” era of open source security, arguing that LLM-powered vulnerability scanners are producing far more reports and increasing maintainer triage burden.

The Linux kernel added documentation clarifying what counts as a security bug and how AI should be used responsibly when finding and reporting kernel bugs. LWN noted that Linux 7.1-rc4 documentation updates address duplicated AI-generated reports that have made the kernel security list harder to manage.

Outside individual projects, a bipartisan group of U.S. lawmakers asked the Office of the National Cyber Director to coordinate planning for higher volumes of AI-discovered vulnerability disclosures. OpenAI launched Daybreak, a controlled-access AI cybersecurity initiative, while coverage again pointed to the same triage and disclosure-capacity problem.

Sources: The Wonders of AI: We Are Retiring Our Bug Bounty Program, Welcome to the Strip Mining Era of OSS Security, Linux Kernel Adds Documentation For What Qualifies As A Security Bug, Responsible AI Use, Kernel prepatch 7.1-rc4, AI-Discovered Vulnerability Coordination Letter, OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation

Public code, AI reports, and contribution rules

The same security pressure is also changing how institutions think about public repositories. Simon Willison highlighted the UK Government Digital Service response to the NHS retreat from open source, with GDS recommending that public-sector code remain open by default despite AI-assisted vulnerability discovery concerns.

Fedora’s AI Developer Desktop proposal also stalled after community objections around out-of-tree drivers and AI tooling. RPCS3 updated contributor rules after maintainers saw more low-quality AI-generated pull requests.

Meanwhile, Spiral introduced Loupe, an AI-powered vulnerability scanning effort for open source Bitcoin projects, and VulnCheck argued that rising CVE disclosure volumes are an early sign that AI-assisted vulnerability discovery has arrived. BleepingComputer reported that an autonomous scanning system found an 18-year-old flaw in NGINX.

Sources: GDS weighs in on the NHS’s decision to retreat from Open Source, Friction in Fedora over AI developer desktop initiative, Heavy Community Backlash Blocks Fedora’s AI Developer Desktop Initiative, Popular PlayStation 3 Emulator Devs Push Back On Low-Quality AI Code Submissions, Meet Loupe: AI-Powered Vulnerability Scanning for Open-Source Bitcoin Projects, The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Has Arrived, 18-year-old NGINX vulnerability allows DoS, potential RCE

License pressure and commercial boundaries

The Bambu Lab dispute around an OrcaSlicer fork kept escalating. Coverage from All3DP, 3Druck, Cybernews, and GamersNexus described the cease-and-desist, mirrors, community backlash, and AGPL-related questions around BambuStudio, cloud connectivity, and closed binary components.

Cal.com drew criticism after moving its production codebase closed source while citing AI-assisted vulnerability discovery. Software Freedom Conservancy also published a broader explanation of incomplete Corresponding Source as a growing copyleft compliance problem.

Elsewhere, Bitwarden prompted questions after removing “Always free” from parts of its website, and Floci gained attention as a free MIT-licensed AWS emulator amid frustration over LocalStack’s paid-plan boundaries. The widely used Go library fsnotify also saw supply-chain and governance concerns after maintainer access changes.

Sources: Bambu Lab Took Down an OrcaSlicer Fork and Handed It a Bigger Audience, Bambu Lab vs. OrcaSlicer fork: Josef Prusa now also speaks out, Bambu Lab cease-and-desist turns into massive PR disaster as YouTubers pledge never to buy again, Fuck You, Bambu Lab: OrcaSlicer-BambuLab Download (with permission), Cal.com just went closed source over AI, but AI is exactly why open source still wins, Dealing with Incomplete Copyleft Source That Doesn’t Correspond, Bitwarden Scrubs ‘Always Free’ and ‘Inclusion’ Values From Its Website, The Quiet Renovation at Bitwarden, Floci Tops 10,000 GitHub Stars as Free, MIT-Licensed AWS Emulator Fills LocalStack’s $39/Month Paywall Gap, Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes

Foundation and ecosystem notes

The Linux Foundation launched an Open Driver Initiative to improve Linux hardware compatibility by encouraging open source drivers. Automotive Grade Linux released its open source SoDeV reference platform and welcomed five new members. Sonatype joined the Linux Foundation’s Sustaining Package Registries Working Group. Chainguard joined FINOS as a Gold Member. The Linux Foundation’s Agentic AI Foundation added 43 new members, including GoDaddy as a Gold Member. The Python Software Foundation welcomed Hudson River Trading as a Visionary Sponsor. The XRP Ledger Foundation appointed Ripple CTO Emeritus David Schwartz as an honorary board member.

OpenSSF also recapped the DARPA-funded AIxCC competition, including a $30.5 million prize pool for AI systems aimed at securing open source software. Tea Protocol announced its mainnet and token generation event for an economic and verification layer around open source software provenance, attribution, and maintainer support. Personal Digital Spaces introduced OpenRSL, an open standard for machine-readable licensing, payment, attribution, and access terms for automated agents.

Forrester’s OCX recap highlighted discussions around open source funding models, vendor-neutral governance, AI, regulation, and license questions. SecurityWeek also reported on the TanStack supply-chain attack that affected OpenAI repositories, a reminder that AI companies remain exposed to open source package ecosystem risks.

Finally, Phoronix reported that longtime Mesa and AMD Linux GPU driver developer Marek Olšák has joined Valve, another sign of Valve’s ongoing investment in open source Linux graphics work.

Sources: Linux Foundation Backs Open Drivers To Improve Linux Hardware Compatibility, Sonatype joins Linux Foundation registry working group, Automotive Grade Linux Releases Open Source SoDeV Reference Platform for Software-Defined Vehicles and Welcomes Five New Members, Chainguard Joins FINOS to Accelerate Trusted Open Source Adoption for Financial Services in the AI Era, Agentic AI Foundation Adds 43 New Members as Enterprise and Government Adoption of Open Agent Standards Accelerates, GoDaddy joins Agentic AI Foundation as Gold Member, PSF Welcomes Hudson River Trading (HRT) as a Visionary Sponsor, Hack to the Future: The Impact and Legacy of the DARPA AIxCC Challenge, Tea Protocol announces June 4 mainnet launch and TGE on Aerodrome to secure open-source development in the AI era, Personal Digital Spaces Introduces OpenRSL: Enabling Website Owners Decentralized Control Over AI Access and Revenue Capture, Ripple’s Schwartz Joins XRP Ledger Foundation, OCX 2026: Open Source As Strategy, OpenAI Hit by TanStack Supply Chain Attack, Longtime Leading AMD Linux GPU Driver Developer Now Working For Valve

Jobs

Foundations and core infrastructure

Mozilla — SR Staff Mixed Methods User Researcher (link) — Remote. Posted 2026-05-14.
Wikimedia Foundation — Software Engineer III, Core Experiences (link) — Remote. Posted 2026-05-13.
Wikimedia Foundation — Senior Site Reliability Engineer, Infrastructure Foundations (link) — Remote. Posted 2026-05-13.
Wikimedia Foundation — Senior Data Scientist, Ecosystems (link) — Remote. Posted 2026-05-12.

Community and developer relations

Canonical — Technical Author (multiple roles and seniority levels) (link) — Home based - Americas; Home based - EMEA. Posted 2026-05-18.
Supabase — Platform Evangelist - AWS (link) — AMER. Posted 2026-05-14.
n8n — Customer Marketing Manager (link) — Remote. Posted 2026-05-11.

Sustainability and commercial open source

Elastic — Principal Software Engineer - Vector Search - Elasticsearch (link) — United Kingdom. Posted 2026-05-18.
Elastic — Senior Software Engineer - Vector Search - Elasticsearch (link) — United States. Posted 2026-05-18.
Freedom of the Press Foundation — RFP – Security Researcher (link) — Worldwide/Remote. Posted 2026-05-15.
Freedom of the Press Foundation — Cryptography Engineer (link) — Remote US. Posted 2026-05-15.
Supabase — AI Tooling Engineer (link) — Remote. Posted 2026-05-15.
Canonical — Junior Ubuntu Software Engineer (link) — Home based - Worldwide. Posted 2026-05-15.
Grafana Labs — Staff Software Engineer - Grafana Cloud k6 (link) — Germany (Remote). Posted 2026-05-14.
Grafana Labs — Staff Software Engineer - Grafana Cloud k6 (link) — Republic of Ireland (Remote). Posted 2026-05-14.
Grafana Labs — Staff Software Engineer - Grafana Cloud k6 (link) — Spain (Remote). Posted 2026-05-14.
Grafana Labs — Staff Software Engineer - Grafana Cloud k6 (link) — United Kingdom (Remote). Posted 2026-05-14.
GitLab — Manager, Security Incident Response Team (link) — Remote US. Posted 2026-05-14.
Wikimedia Foundation — Email Developer (Fundraising) - 1 year contract (link) — Remote. Posted 2026-05-14.
Grafana Labs — Staff Frontend Engineer - Observability Drilldown (link) — United Kingdom (Remote); EMEA remote options. Posted 2026-05-13.
Supabase — Software Engineer: IaC Platform Experience (link) — Remote. Posted 2026-05-13.
Mozilla — Senior Solutions Engineer (DACH), Firefox Enterprise (link) — Remote. Posted 2026-05-13.
LangChain — Principle Software Engineer, AI Observability & Evals Platform (link) — Boston, MA; San Francisco, CA; New York, NY. Posted 2026-05-13.
Supabase — Edge Functions Engineer (link) — Remote. Posted 2026-05-13.
ClickHouse — Solutions Architect - LangFuse EMEA (link) — United Kingdom, Germany, Netherlands. Posted 2026-05-12.
ClickHouse — Solutions Architect - LangFuse APJ (link) — Australia, Singapore, India. Posted 2026-05-12.
Grafana Labs — Manager, Observability Architects (link) — West Coast US (Remote). Posted 2026-05-12.
Grafana Labs — Senior Observability Architect (link) — United States PST (Remote). Posted 2026-05-12.
Airbyte — Senior Product Manager – UI/UX, PLG & Activation (link) — San Francisco, CA. Posted 2026-05-11.
Grafana Labs — Engineering Manager, Mimir (link) — Republic of Ireland (Remote). Posted 2026-05-11.
Grafana Labs — Engineering Manager, Mimir (link) — Germany (Remote). Posted 2026-05-11.
Grafana Labs — Engineering Manager, Mimir (link) — Spain (Remote). Posted 2026-05-11.
Grafana Labs — Engineering Manager, Mimir (link) — Sweden (Remote). Posted 2026-05-11.

Legal and licensing

Wikimedia Foundation — Legal Fellow (Fall 2026) (link) — Remote. Posted 2026-05-14.
Datadog — Senior Commercial Counsel (link) — Singapore. Posted 2026-05-12.

References

All source links are included inline above.