Google Pledges $1m to Secure Open Source Project

Google has announced financial backing for a new initiative designed to incentivize proactive security improvements to open source code.

Unlike bug bounty programs which offer financial rewards to researchers who discover critical software bugs, the Secure Open Source (SOS) project will do the same for developers whose work prevents major vulnerabilities appearing in the first place.

“SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks,” Google explained.

“To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.”

The selection process for in-scope projects will take into account NIST guidelines and the new Presidential executive order on cybersecurity, as well as criteria such as how many users will be affected, and how serious an impact a compromise would have.

The initial list of projects includes software supply chain improvements such as hardening of CI/CD pipelines, adoption of software artifact signing and verification, and enhancements that produce higher OpenSSF Scorecard results.

SOS will also look at projects which use OpenSSF Allstar and remediate any discovered issues, and ones capable of earning a CII Best Practice Badge.

Google’s $1m investment will help to fund awards of $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected c ..

Support the originator by clicking the read the rest link below.