Google today announced sponsorship for the Secure Open Source (SOS) pilot program, run by the Linux Foundation. The company has planned to start with $1 million investment to financially reward developers for enhancing the security of critical open source projects. This comes after Google’s previous $10 billion commitment to open source security.
The evaluation will be based on the guidelines established by the National Institute of Standards and Technology’s definition in response to the recent Executive Order on Cybersecurity. Other factors include whether the project is included in the Harvard 2 Census Study of most-used packages and whether the issue being resolved has a score of 0.6 or above in the OpenSSF Criticality Score project.
Specifically, the program is focussed on rewarding Software supply chain security improvements including hardening CI/CD pipelines and distribution infrastructure, adoption of software artifact signing and verification, project improvements that produce higher OpenSSF Scorecard results, use of OpenSSF Allstar and remediation of discovered issues and earning a CII Best Practice Badge.
Rewards will be determined on the complexity and impact of work ranging from $10,000 or more for complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities to $505 for small improvements that have merit from a security standpoint. Upfront funding is available on a limited basis for impactful improvements of moderate to high complexity over a longer time span. Those requests should be provided with a detailed plan of how the improvements will be delivered.
Only work completed after October 1, 2021 qualifies for SOS rewards, a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks.