Google has announced financial backing for a new initiative designed to incentivize proactive security improvements to open source code.
Unlike bug bounty programs which offer financial rewards to researchers who discover critical software bugs, the Secure Open Source (SOS) project will do the same for developers whose work prevents major vulnerabilities appearing in the first place.
“SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks,” Google explained.
“To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.”
The selection process for in-scope projects will take into account NIST guidelines and the new Presidential executive order on cybersecurity, as well as criteria such as how many users will be affected, and how serious an impact a compromise would have.
The initial list of projects includes software supply chain improvements such as hardening of CI/CD pipelines, adoption of software artifact signing and verification, and enhancements that produce higher OpenSSF Scorecard results.
SOS will also look at projects which use OpenSSF Allstar and remediate any discovered issues, and ones capable of earning a CII Best Practice Badge.
Google’s $1m investment will help to fund awards of $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.”
Smaller amounts ranging from $505 to $10,000 are available depending on the complexity and benefits.
“This $1 million investment is just the beginning — we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF,” Google concluded.
“We welcome community feedback and interest from others who want to contribute to the SOS program. Together we can pool our support to give back to the open source community that makes the modern internet possible.”
A recent report from Sonatype revealed a 650% year-on-year increase in upstream supply chain attacks impacting open source software components.