Google is pledging to provide $100 million to support third-party foundations that manage open source security priorities and help fix vulnerabilities. The company has announced support for Open Source Technology Improvement Fund (OSTIF), with plans to sponsor security reviews of 8 critical open source software projects.
Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open source ecosystem. The eight libraries, frameworks and apps that were selected for this round are those that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them, noted a company blog.
The projects include Git, Lodash, Laravel, Slf4j, Jackson-core & Jackson-databind
and Httpcomponents-core & Httpcomponents-client
This move comes after the company unveiled a $10 billion cybersecurity commitment to support President Biden’s plans to bolster US cyber defenses.
Google can be seen working on open source security initiatives, while a few months ago it introduced Supply Chain Levels for Software Artifacts (SLSA) – an end to end framework for software supply chain.