Google announced its sponsorship of the Secure Open Source (SOS) pilot program managed by the Linux Foundation, which grants financial rewards to developers who strengthen the security of key open source projects. Google initially invested $1 million in the plan and plans to expand the scope of the plan based on community feedback.
SOS rewards a wide range of improvement measures and proactively strengthens key open-source projects and supporting infrastructure to respond to attacks on applications and supply chains. In order to supplement the existing program of rewarding vulnerability management, project developers will also be directly supported.
The submitted materials will be evaluated, taking into account industry standards and guidelines defined by the Institute of Technology, as well as other standards, including:
- How many and what types of users will be affected by security improvements?
- Will the improvement measures have a significant impact on infrastructure and user safety?
- If the project is destroyed, how severe or widespread will the impact be?
The initial focus of the project is on security improvements in the software supply chain, the use of software artifacts for signing and verification, and improvements that produce higher OpenSSF scorecard results.
Rewards range from complex, high-impact, and lasting improvements of more than $10,000, which will almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure, to small improvements of $500, but at least from a security perspective Need to be good.
The SOS pilot project is seen as the starting point for future efforts, hoping to bring other large organizations together and turn it into a sustainable, long-term initiative under OpenSSF.
