Google sponsors pilot program to improve open source security
Google is announcing its sponsorship of the Secure Open Source (SOS) pilot program, run by the Linux Foundation, which financially rewards developers for enhancing the security of critical open source projects.
Google is starting with a $1 million investment and plans to expand the scope of the program based on community feedback.
SOS rewards a very broad range of improvements that proactively harden critical open source projects and support infrastructure against application and supply chain attacks. To complement existing programs that reward vulnerability management, SOS's scope is wider in the type of work it rewards in order to support project developers.
Submissions will be evaluated in consideration of the guidelines established by the National Institute of Standards and Technology's definition, along with other criteria including:
- How many and what types of users will be affected by the security improvements?
- Will the improvements have a significant impact on infrastructure and user security?
- If the project were compromised, how serious or wide-reaching would the implications be?
The program's initial focus will be on software supply chain security improvements, adoption of software artifact signing and verification, and improvements producing higher OpenSSF Scorecard results.
Rewards will range from $10,000+ for complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure, down to $500 for small improvements that nonetheless have merit from a security standpoint.
The SOS pilot program is seen as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF. You can find out more about the program here.