The SOS program, managed by the Linux Foundation, will reward developers with potentially more than $ 10,000 for improving the security of critical open source software.
As part of Google’s recently announced $ 10 billion commitment to defense against cybersecurity, the company announced on Friday sponsorship of the Secure Open Source (SOS) Rewards pilot program run by the Linux Foundation.
The program financially rewards developers for improving the security of critical open source projects. It is managed by the Linux Foundation with initial sponsorship from Google’s $ 1 million open source security team.
“Existing reward programs in the open source community are primarily focused on finding vulnerabilities, but this program aims to embed security into the software development lifecycle and help the ecosystem thrive through sustained investment.” said Abhishek Arya, senior engineer and director of Google’s open source security team. “Google’s investment and commitment to ‘move to the left’ can stop security vulnerabilities before they even happen.”
SEE: Security incident response policy (TechRepublic Premium)
The SOS program rewards a wide range of enhancements that proactively strengthen critical open source projects and support infrastructure against application and supply chain attacks, Google said in a press release.
Since there is no single definition of what makes an open source project critical, Google has stated that its selection process will be holistic. Google will consider the guidelines established by the National Institute of Standards and Technology’s definition of what constitutes critical software.
The program is initially focused on rewarding the following jobs, and Google will add to the list over time:
Software supply chain security enhancements including strengthening continuous integration / continuous delivery (CI / CD) pipelines and distribution infrastructure. The SLSA framework suggests specific requirements to consider, such as basic generation and provenance verification.
Adoption of signature and verification of software artifacts.
Project improvements that produce higher OpenSSF Scorecard results.
Developers can also submit improvements not on the list as long as they provide a rationale and evidence to help SOS program administrators understand the complexity and impact of the completed work. Only work completed after October 1, 2021 is eligible for SOS rewards.
SEE: C ++ Programming Language: How It Came The Basis Of Everything And What’s Next (Free PDF) (TechRepublic)
Initial funding will be available on a case-by-case basis for impactful improvements of moderate to high complexity over a longer period.
How can developers participate and what are the rewards?
Developers wishing to participate in the program should visit the FAQ page and complete the Secure Open Source submission form.
The amounts of the rewards are determined based on the complexity and impact of the work:
$ 10,000 or more for complex, high-impact, and lasting enhancements that prevent major vulnerabilities in affected code or supporting infrastructure.
$ 5,000 to $ 10,000 for moderately complex upgrades that offer compelling safety benefits.
$ 1,000 to $ 5,000 for submissions of modest complexity and impact.
$ 505 for small improvements that nevertheless have merit from a security point of view.