Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Pledges $1 Million to Secure Open Source Program

Google last week pledged $1 million in financial support to the Secure Open Source (SOS) rewards program run by the Linux Foundation.

The pilot program financially rewards developers who help improve the security of critical open source projects and is meant to complement existing vulnerability management programs.

Google last week pledged $1 million in financial support to the Secure Open Source (SOS) rewards program run by the Linux Foundation.

The pilot program financially rewards developers who help improve the security of critical open source projects and is meant to complement existing vulnerability management programs.

Committed to boost the security of the open source ecosystem, the Internet search giant recently pledged $100 million in support for projects that aim to fix vulnerabilities in open source projects. A couple of weeks ago, Google announced support for OSTIF (Open Source Technology Improvement Fund).

The SOS pilot program has a wide scope compared to reward vulnerability programs, as it arrives in support of developers, offering rewards for various improvements aimed at hardening critical open source projects.

Submitted projects will be considered critical after an evaluation based on guidelines from the National Institute of Standards and Technology following the recent Executive Order on Cybersecurity, Google explains.

Other criteria taken into consideration include impact of the project (in terms of affected users, impact on infrastructure and user security, and the implications of the project’s compromise), and the project’s rankings in existing open source criticality research (such as the Havard 2 Census Study of most-used packages and the OpenSSF Critically Score project).

At first, rewards will be awarded for software supply chain security improvements such as the hardening of CI/CD pipelines and distribution infrastructure, adoption of software artifact signing and verification, enhancements that lead to higher OpenSSF Scorecard results, addressing the identified issues and the use of OpenSSF Allstar, and CII Best Practice Badges.

SOS rewards will only be awarded for work completed after October 1, 2021. On a case-by-case basis, upfront funding may also be awarded, “for impactful improvements of moderate to high complexity over a longer time span,” Google says.

Advertisement. Scroll to continue reading.

As part of the pilot program, developers may receive $10,000 or more for complicated, high-impact improvements that prevent major vulnerabilities; between $5,000 and $10,000 for moderately complex improvements; between $1,000 and $5,000 for modest complexity submissions; or $505 for small improvements.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: Tool Helps Developers Visualize Dependencies of Open Source Projects

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...