Google today launched a Secure Open Source (SOS) pilot program, managed by the Linux Foundation, through which it will set aside $ 1 million to compensate developers who work on initiatives to better secure open source software.
Abhishek Arya, senior engineer and head of Google’s open source security team, said the effort is the latest installment in a $ 10 billion commitment Google previously made to open source security. The decision to compensate developers for their efforts will be based on guidelines established by the National Institute of Standards and Technology (NIST) branch of the U.S. Department of Commerce in response to the recent executive order on cybersecurity issued by the Biden administration.
Other factors include whether the project is included in the Harvard 2 Census Study of the Most Used Packages and whether the issue being resolved has a score of 0.6 or higher in the OpenSSF Criticality Score project.
The rewards will be based on the complexity and impact of the job ranging from $ 10,000 or more for complicated, high impact and lasting improvements that almost certainly prevent major vulnerabilities to $ 505 for small improvements that have merit. from a security perspective. Initial funding is available on a limited basis for impactful improvements of moderate to high complexity over a longer period. These requests will require a detailed plan of how the improvements will be made.
Specifically, the Linux Foundation seeks to encourage the strengthening of continuous integration / continuous delivery (CI / CD) pipelines and distribution infrastructure or any other task defined as part of the supply chain levels for software artifacts that deals with everything from code reviews to dependency updates. The program will also encourage open source project managers to embrace signing and verifying software artifacts.
The Linux Foundation also encourages open source projects to earn a best practice badge from the Basic Infrastructure Initiative (CII) it administers.
Arya says the $ 1 million investment is the start of an effort by Google and the Linux Foundation; the hope is that other organizations will bring in financial resources to reward developers for the time and effort put into improving cybersecurity.
When it comes to software security, the challenge is that most developers focus squarely on innovation. Security is generally viewed by most developers as a less glamorous set of programming tasks that another open source contributor will tackle. As a result, the number of developers focused on open source security issues is relatively low. Google is hoping that if developers are paid for these efforts, a small group of open source security-focused developers could emerge, Arya noted.
Following a series of high-profile software supply chain breaches, the focus is now on the security of open source software. Today, most applications use, to varying degrees, open source components, not all of which are equally secure. Cybersecurity teams regularly find themselves looking for vulnerabilities that may exist in older versions of open source software or those that have just been discovered. The more secure the open source software is to begin with, the less frequent this tedious task becomes.