Code-hosting platform GitHub on Tuesday announced a new effort to improve the security and sustainability of open source projects through financial help, education, certification, and more.
The Microsoft-owned platform is now accepting applications for the GitHub Secure Open Source Fund, which launches with $1.25 million to be invested in 125 projects, and will leave applications open until January 7, 2025.
The purpose of the fund, GitHub says, is to build a security-minded community of maintainers and funders that have shared objectives, and which will lead to the improved security of the open source ecosystem.
“We’re taking an ecosystem approach because we believe a dependency graph is more than just connected software. It is the underlying people that underpin the success and sustainability of open source,” GitHub notes.
As part of the program, project maintainers will receive financial support, security education, certification, mentorship, tooling, promotion, and bi-annual security health reports.
Maintainers will receive $10,000 per project in funding, directly via GitHub Sponsors, and will be provided with 5-10 hour commitment per week (including workshops, group sessions, mentorship, and project work), dedicated time with the GitHub Security Lab team, access to security experts, and engagement with the community.
Additionally, GitHub will offer free access to and training for relevant products, such as Copilot, Copilot Autofix, and Secret Scanning, access to the new GitHub Secure Open Source community, and opportunities for networking and support.
“Nobody wants their open source project to be the source of security issues to people who use it, but keeping up to date with everything, dealing with security reports and issuing fixes all takes time. And that is often the hardest thing to find when you are already maintaining the project in your spare time,” the platform notes.
The GitHub Secure Open Source Fund launches with support from over a dozen organizations, but GitHub says it will continue to accept partners interested in funding open source security.
“We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source,” GitHub says.
Related: Open Source Package Entry Points May Lead to Supply Chain Attacks
Related: New Scoring System Helps Secure the Open Source AI Model Supply Chain
Related: Facilitating Convergence of Physical Security and Cyber Security With Open Source Intelligence
Related: The Importance of Open Source to an XDR Architecture
Related: Google Promises Upfront Financial Help for Securing Open Source Projects