Few companies are as committed to the cause of open source software as Google LLC, and as an emphasis on this point, the company said today that it is sponsoring the Linux Foundation’s new Secure Open Source pilot program.
The SOS program is an initiative that promises to financially reward developers for improving the security of what are considered “critical open source projects” upon which many organizations depend. To get the ball rolling, Google announced that it would donate $ 1 million to fund these payments.
In a blog post, the heads of Google’s open source security team, Meder Kydyraliev and Kim Lewandowski, said the idea with SOS is to reward various enhancements that proactively bolster critical open source projects and take supports infrastructure against application and supply chain attacks. They explain that the whole world is increasingly dependent on open source software, and widespread support and financial incentives are needed to encourage developers to keep such software safe and secure.
The SOS program is part of a larger effort to address a growing truth: The world relies on open source software, but widespread support and financial contributions are needed to keep such software secure.
A number of similar developer reward programs already exist, but Google said the SOS has a much broader reach than previous efforts. The rewards amounts are also quite high, with $ 10,000 or more offered to developers who come up with complex, high-impact, and long-lasting enhancements that will almost certainly prevent vulnerabilities in affected code or supporting infrastructure.
Moderately complex upgrades that offer “compelling safety benefits” will be eligible for a payout between $ 5,000 and $ 10,000, while submissions of “modest complexity and impact” will receive $ 1,000 to $ 5,000, depending on their impact. Developers can also get a reward of $ 505 for small improvements that are deemed interesting from a security perspective.
Kydyraliev and Lewandowski said the process for selecting eligible open source software projects will be holistic, based on guidelines established by the National Institute of Standards and Technology. The SOS will also take into account additional criteria such as the impact of the project in terms of the types of users who will be affected by the security improvements, the importance of the improvements and the severity of the implications if the project is compromised. The ranking of the project in existing open source criticality research will also be taken into account.
The awards will go to developers who can implement a wide range of security enhancements, including those focused on improving the security of the software supply chain, such as strengthening continuous integration and continuous development pipelines and distribution infrastructure. Improvements that lead to the adoption of software artifact signing and verification, and those that produce higher OpenSSF Scorecard results will also be rewarded, said Kydyraliev and Lewandowski.
To request a financial reward, developers should read the SOS FAQ page and then submit their application through this form. Google has said it will only pay rewards for work completed after October 1, 2021.
Seed funding will also be provided on a case-by-case basis for moderate and complex upgrades that are deemed worthy enough, although developers will need to explain why they need the funding and also provide a detailed plan of the upgrades they intend to make. enforce .
Holger Mueller, analyst at Constellation Research Inc., told SiliconANGLE that the SOS project is a welcome initiative. He said open source software is what powers most modern computing platforms today, beating proprietary software development in-house.
“It’s good to see a major cloud player like Google tackling what is widely seen as the Achilles heel of the open source ecosystem – security,” Mueller said. “While funding may not be enough to secure entire software projects, this is a major incentive for the majority of project contributors, most of whom do their work for free in their spare time. Time will tell how successful the SOS program will be.
For now, the SOS project is still ongoing, but Google has said it will continue to expand its reach to cover a wider range of security improvements and projects. For example, developers who make improvements in unforeseen areas can still apply for an award as long as they can provide a rationale and evidence for the complexity and impact of their work.
Google is also hoping that other large organizations that depend on open source software will support the SOS program and provide funding, so that it can become a sustainable, long-term initiative that benefits everyone.