Google last week pledged $1 million in financial support to the Secure Open Source (SOS) rewards program run by the Linux Foundation.
The pilot program financially rewards developers who help improve the security of critical open source projects and is meant to complement existing vulnerability management programs.
Committed to boost the security of the open source ecosystem, the Internet search giant recently pledged $100 million in support for projects that aim to fix vulnerabilities in open source projects. A couple of weeks ago, Google announced support for OSTIF (Open Source Technology Improvement Fund).
The SOS pilot program has a wide scope compared to reward vulnerability programs, as it arrives in support of developers, offering rewards for various improvements aimed at hardening critical open source projects.
Submitted projects will be considered critical after an evaluation based on guidelines from the National Institute of Standards and Technology following the recent Executive Order on Cybersecurity, Google explains.
Other criteria taken into consideration include impact of the project (in terms of affected users, impact on infrastructure and user security, and the implications of the project’s compromise), and the project’s rankings in existing open source criticality research (such as the Havard 2 Census Study of most-used packages and the OpenSSF Critically Score project).
At first, rewards will be awarded for software supply chain security improvements such as the hardening of CI/CD pipelines and distribution infrastructure, adoption of software artifact signing and verification, enhancements that lead to higher OpenSSF Scorecard results, addressing the identified issues and the use of OpenSSF Allstar, and CII Best Practice Badges.
SOS rewards will only be awarded for work completed after October 1, 2021. On a case-by-case basis, upfront funding may also be awarded, “for impactful improvements of moderate to high complexity over a longer time span,” Google says.
As part of the pilot program, developers may receive $10,000 or more for complicated, high-impact improvements that prevent major vulnerabilities; between $5,000 and $10,000 for moderately complex improvements; between $1,000 and $5,000 for modest complexity submissions; or $505 for small improvements.