Calif.io have access to Mythos Preview which they've used to find a macOS kernel memory corruption exploit on Apple M5: https://blog.calif.io/p/first-public-kernel-memory-corruptio...

It's probably the right approach to onboard a few independent security companies and task them with reviewing multiple OSS projects than it is to onboard each project individually.