$1 Million SOS Rewards Pilot Program
Written by Sue Gee   
Tuesday, 05 October 2021

With Google sponsorship, the Linux Foundation has launched the Secure Open Source Rewards pilot program to incentivize improvements that proactively harden critical open source projects and their supporting infrastructure against application and supply chain attacks. Rewards range from $505 to $10,000 or more.

In view of the ubiquity of cyberattacks that exploit vulnerabilities that target people, organizations, and governments around the world, in August 2021 Google announced that it was going to invest $10 billion over the next five years to strengthen cybersecurity, including enhancing open-source security. This included a pledge of $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.


Now Google has announced sponsorship for the Secure Open Source (SOS) pilot program run by the Linux Foundation which offers financial rewards to developers for enhancing the security of the critical open source projects that we all depend on. Google is starting with a $1 million investment and plans to expand the scope of the program based on community feedback.

The reward amounts are determined on both the complexity and the impact of the improvement made: 

  • $ 10,000 or more – for introducing complex, significant and relevant in the long term improvements that provide protection against serious vulnerabilities in the code or infrastructure of open projects.
  • $ 5000 - $ 10000 – for improvements of medium difficulty that have a positive effect on safety.
  • $ 1000 - $ 5000 for moderate difficulty improvements that increase security.
  • $ 505 – for small security improvements.

Awards will be paid using the Linux Foundation Crowdfunding platform.

Claiming a reward is a matter of filling in a form in respect of a security improvement that was completed after October 1, 2021. To qualify the open source project should count as being critical. For this it should be widely used and the suggestion is that it should be included in the Harvard 2 Census Study,  part of the Linux Foundation's Core Infrastructure Initiative (CII) and another project intended to  inform actions to sustain the long-term security and health of FOSS. Alternatively it should have a criticality score of 0.6 or above in the Open SSF Criticality Score project, see Taking Open Source Criticality Seriously.

When bestowing a reward impact will also be taken into consideration. The critria set out on the SOS.dev are:

  • How many and what types of users will be affected by the security improvements?
  • Will the improvements have a significant impact on infrastructure and user security?
  • If the project were compromised, how serious or wide-reaching would the implications be?

As for the type of security improvements that qualify for a financial reward, the suggestions include the following, and also says that the list will be extended:

  • Software supply chain security improvements including hardening CI/CD pipelines and distribution infrastructure. 
  • Adoption of software artifact signing and verificationn).
  • Project improvements that produce higher OpenSSF Scorecard results. For example, a contributor can follow remediation suggestions for the following Scorecard checks:







The FAQ's note that SOS Rewards is not a bug bounty program and does not reward reports of specific project vulnerabilities and that any vulnerabilities found in a project should be reported according to the project's security disclosure policy.

In the case of  impactful improvements of moderate to high complexity the require a substantial time span upfront funding will be considered on a case by case basis.

Last year when reporting on the OSSF Criticality Score project, I noted that it was:

the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need.

The SOS Rewards program seems to be a good follow up in the endeavour to improve the security of the open source projects that are vital to enterprise, commerce and government the world over.  

As SOS.dev puts it:

The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure. This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF.



More Information


Related Articles

Taking Open Source Criticality Seriously

Open Source Insights Into The Software Supply Chain

The State Of Secure Software Development - Three OpenSSF Courses

Google Funding For Linux Security


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



WWII Cipher Machine As Used On D-Day

To celebrate the 80th anniversary of D-Day there's a new addition to the line up of cryptographic machines on Martin Gillow's VirtualColossus website - a 3D simulation of the Hagelin M-209 cipher [ ... ]

Deno Adds Support For Private npm Registries

Deno 1.44 has been released with support for private npm registries and for gRPC connections.

More News

C book



or email your comment to: comments@i-programmer.info



Last Updated ( Tuesday, 05 October 2021 )