Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Pledges $1 Million to Secure Open Source Program

Google last week pledged $1 million in financial support to the Secure Open Source (SOS) rewards program run by the Linux Foundation.

The pilot program financially rewards developers who help improve the security of critical open source projects and is meant to complement existing vulnerability management programs.

Google last week pledged $1 million in financial support to the Secure Open Source (SOS) rewards program run by the Linux Foundation.

The pilot program financially rewards developers who help improve the security of critical open source projects and is meant to complement existing vulnerability management programs.

Committed to boost the security of the open source ecosystem, the Internet search giant recently pledged $100 million in support for projects that aim to fix vulnerabilities in open source projects. A couple of weeks ago, Google announced support for OSTIF (Open Source Technology Improvement Fund).

The SOS pilot program has a wide scope compared to reward vulnerability programs, as it arrives in support of developers, offering rewards for various improvements aimed at hardening critical open source projects.

Submitted projects will be considered critical after an evaluation based on guidelines from the National Institute of Standards and Technology following the recent Executive Order on Cybersecurity, Google explains.

Other criteria taken into consideration include impact of the project (in terms of affected users, impact on infrastructure and user security, and the implications of the project’s compromise), and the project’s rankings in existing open source criticality research (such as the Havard 2 Census Study of most-used packages and the OpenSSF Critically Score project).

At first, rewards will be awarded for software supply chain security improvements such as the hardening of CI/CD pipelines and distribution infrastructure, adoption of software artifact signing and verification, enhancements that lead to higher OpenSSF Scorecard results, addressing the identified issues and the use of OpenSSF Allstar, and CII Best Practice Badges.

SOS rewards will only be awarded for work completed after October 1, 2021. On a case-by-case basis, upfront funding may also be awarded, “for impactful improvements of moderate to high complexity over a longer time span,” Google says.

As part of the pilot program, developers may receive $10,000 or more for complicated, high-impact improvements that prevent major vulnerabilities; between $5,000 and $10,000 for moderately complex improvements; between $1,000 and $5,000 for modest complexity submissions; or $505 for small improvements.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: Tool Helps Developers Visualize Dependencies of Open Source Projects

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Funding/M&A

Tenable has launched a $25 million venture fund to place bets on early-stage startups in the exposure management space.