|$1 Million SOS Rewards Pilot Program|
|Written by Sue Gee|
|Tuesday, 05 October 2021|
With Google sponsorship, the Linux Foundation has launched the Secure Open Source Rewards pilot program to incentivize improvements that proactively harden critical open source projects and their supporting infrastructure against application and supply chain attacks. Rewards range from $505 to $10,000 or more.
In view of the ubiquity of cyberattacks that exploit vulnerabilities that target people, organizations, and governments around the world, in August 2021 Google announced that it was going to invest $10 billion over the next five years to strengthen cybersecurity, including enhancing open-source security. This included a pledge of $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.
Now Google has announced sponsorship for the Secure Open Source (SOS) pilot program run by the Linux Foundation which offers financial rewards to developers for enhancing the security of the critical open source projects that we all depend on. Google is starting with a $1 million investment and plans to expand the scope of the program based on community feedback.
The reward amounts are determined on both the complexity and the impact of the improvement made:
Awards will be paid using the Linux Foundation Crowdfunding platform.
Claiming a reward is a matter of filling in a form in respect of a security improvement that was completed after October 1, 2021. To qualify the open source project should count as being critical. For this it should be widely used and the suggestion is that it should be included in the Harvard 2 Census Study, part of the Linux Foundation's Core Infrastructure Initiative (CII) and another project intended to inform actions to sustain the long-term security and health of FOSS. Alternatively it should have a criticality score of 0.6 or above in the Open SSF Criticality Score project, see Taking Open Source Criticality Seriously.
When bestowing a reward impact will also be taken into consideration. The critria set out on the SOS.dev are:
As for the type of security improvements that qualify for a financial reward, the suggestions include the following, and also says that the list will be extended:
The FAQ's note that SOS Rewards is not a bug bounty program and does not reward reports of specific project vulnerabilities and that any vulnerabilities found in a project should be reported according to the project's security disclosure policy.
In the case of impactful improvements of moderate to high complexity the require a substantial time span upfront funding will be considered on a case by case basis.
Last year when reporting on the OSSF Criticality Score project, I noted that it was:
the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need.
The SOS Rewards program seems to be a good follow up in the endeavour to improve the security of the open source projects that are vital to enterprise, commerce and government the world over.
As SOS.dev puts it:
The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure. This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF.
or email your comment to: email@example.com
|Last Updated ( Tuesday, 05 October 2021 )|