As part of Google’s recently announced $10 billion commitment to cybersecurity defense, the company announced Friday the sponsorship for the Secure Open Source (SOS) Rewards pilot program run by the Linux Foundation.
The program financially rewards developers for improving the security of critical open source projects. It’s run by the Linux Foundation with initial sponsorship from the Google Open Source Security Team of $1 million.
“The existing reward programs in the open source community are primarily focused on finding vulnerabilities, but this program is focused on embedding security as part of the software development lifecycle and helping the ecosystem thrive with sustained investments,” said Abhishek Arya, principal engineer and manager of Google’s Open Source Security Team. “Google’s investment and commitment to ‘shift left’ can stop security vulnerabilities before they even happen.”
SEE: Security incident response policy (TechRepublic Premium)
The SOS program rewards a broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks, Google said in a press release.
Since there is no one definition of what makes an open source project critical, Google said its selection process will be holistic. Google will consider the guidelines established by the National Institute of Standards and Technology’s definition of what constitutes critical software.
The program is initially focused on rewarding the following work, and Google will add to the list as time goes on:
Software supply chain security improvements including hardening continuous integration/continuous delivery (CI/CD) pipelines and distribution infrastructure. The SLSA framework suggests specific requirements to consider, such as basic provenance generation and verification.
Adoption of software artifact signing and verification.
Project improvements that produce higher OpenSSF Scorecard results.
Developers may also submit improvements not in the list so long as they provide justification and evidence to help the SOS program administrators understand the complexity and impact of the completed work. Only work completed after October 1, 2021 qualifies for SOS rewards.
Upfront funding will be available on a case by case basis for impactful improvements of moderate to high complexity over a longer time span.
How can developers participate, and what are the rewards?
Reward amounts are determined based on the complexity and impact of work:
$10,000 or more for complicated, high-impact and lasting improvements that prevent major vulnerabilities in the affected code or supporting infrastructure.
$5,000-$10,000 for moderately complex improvements that offer compelling security benefits.
$1,000-$5,000 for submissions of modest complexity and impact.
$505 for small improvements that nevertheless have merit from a security standpoint.