The German government has a proposal on it's desk, written by Adriana Groh, Katharina Meyer, Fiona Krakenbürger, Eileen Wagner and with some contribution by Thomas Fricke.
It contains the setup of a fund, starting with 10 Mio € per year to organize the support of Open Source projects, which are well staffed in coding, however, need support in security and all the accompanying processes. When the proposal was written, it was very soon clear that many Open Source projects were needing support. Security Audits, when done not regularly, produce a lot of findings. Maintenance of older versions still in production, developers supporting 435.000 packages as a part time job are quite common. Malicious packages need to be filtered. Maintainers are sometimes close to a burn out.

Therefore, it was no surprise that something would happen, but it was not clear when and where the point of impact would be. In December 2021 the Log4Shell bug caused major damages nearly everywhere, and the first time the blast radius of a bug reached Mars, causing damages of several 1000 Millions.

How can we prevent events like this in the future? How can we leverage the amount of 10 Mio € to the substantial sum.

What needs to change?