The SOS program, run by the Linux Basis, will reward builders with probably greater than $10,000 for enhancing the safety of important open supply software program.
As a part of Google’s lately introduced $10 billion dedication to cybersecurity protection, the corporate introduced Friday the sponsorship for the Safe Open Supply (SOS) Rewards pilot program run by the Linux Basis.
This system financially rewards builders for bettering the safety of important open supply tasks. It is run by the Linux Basis with preliminary sponsorship from the Google Open Supply Safety Crew of $1 million.
“The prevailing reward applications within the open supply neighborhood are primarily centered on discovering vulnerabilities, however this program is targeted on embedding safety as a part of the software program improvement lifecycle and serving to the ecosystem thrive with sustained investments,” mentioned Abhishek Arya, principal engineer and supervisor of Google’s Open Supply Safety Crew. “Google’s funding and dedication to ‘shift left’ can cease safety vulnerabilities earlier than they even occur.”
SEE: Safety incident response coverage (TechRepublic Premium)
The SOS program rewards a broad vary of enhancements that proactively harden important open supply tasks and supporting infrastructure in opposition to utility and provide chain assaults, Google mentioned in a press launch.
Since there isn’t any one definition of what makes an open supply challenge important, Google mentioned its choice course of will likely be holistic. Google will think about the rules established by the Nationwide Institute of Requirements and Expertise’s definition of what constitutes important software program.
This system is initially centered on rewarding the next work, and Google will add to the listing as time goes on:
Software program provide chain safety enhancements together with hardening steady integration/steady supply (CI/CD) pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to think about, corresponding to primary provenance technology and verification.
Adoption of software program artifact signing and verification.
Undertaking enhancements that produce larger OpenSSF Scorecard outcomes.
Builders can also submit enhancements not within the listing as long as they supply justification and proof to assist the SOS program directors perceive the complexity and affect of the finished work. Solely work accomplished after October 1, 2021 qualifies for SOS rewards.
SEE: C++ programming language: The way it grew to become the inspiration for all the pieces, and what’s subsequent (free PDF) (TechRepublic)
Upfront funding will likely be out there on a case by case foundation for impactful enhancements of reasonable to excessive complexity over an extended time span.
How can builders take part, and what are the rewards?
Builders wishing to take part in this system ought to go to the FAQ web page and fill out the Safe Open Supply submission kind.
Reward quantities are decided based mostly on the complexity and affect of labor:
$10,000 or extra for classy, high-impact and lasting enhancements that forestall main vulnerabilities within the affected code or supporting infrastructure.
$5,000-$10,000 for reasonably advanced enhancements that supply compelling safety advantages.
$1,000-$5,000 for submissions of modest complexity and affect.
$505 for small enhancements that however have benefit from a safety standpoint.