Security Blog
The latest news and insights from Google on security and safety on the Internet
Introducing the Secure Open Source Pilot Program
October 1, 2021
Posted by Meder Kydyraliev and Kim Lewandowski, Google Open Source Security Team
Over the past year we have made a number of investments to strengthen the security of critical open source projects, and recently announced our
$10 billion commitment to cybersecurity defense
including $100 million to support third-party foundations that manage open source security priorities and help fix vulnerabilities.
Today, we are excited to announce our sponsorship for the
Secure Open Source (SOS) pilot program
run by the Linux Foundation. This program financially rewards developers for enhancing the security of critical open source projects that we all depend on. We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback.
Why SOS?
SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks. To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.
What projects are in scope?
Since there is no one definition of what makes an open source project critical, our selection process will be holistic. During submission evaluation we will consider the guidelines established by the
National Institute of Standards and Technology’s definition
in response to the recent
Executive Order on Cybersecurity
along with criteria listed below:
The impact of the project:
How many and what types of users will be affected by the security improvements?
Will the improvements have a significant impact on infrastructure and user security?
If the project were compromised, how serious or wide-reaching would the implications be?
The project’s rankings in existing open source criticality research:
Is the project included in the
Havard 2 Census Study
of most-used packages, or does it have a score of 0.6 or above in the
OpenSSF Critically Score
project?
What security improvements qualify?
The program is initially focused on rewarding the following work:
Software supply chain security improvements including hardening CI/CD pipelines and distribution infrastructure. The
SLSA framework
suggests specific requirements to consider, such as basic provenance generation and verification.
Adoption of software artifact signing and verification. One option to consider is Sigstore's set of utilities (e.g.
cosign
).
Project improvements that produce higher
OpenSSF Scorecard
results. For example, a contributor can follow remediation suggestions for the following Scorecard checks:
Code-Review
Branch-Protection
Pinned-Dependencies
Dependency-Update-Tool
Fuzzing
Use of
OpenSSF Allstar
and remediation of discovered issues.
Earning a
CII Best Practice Badge
(which also improves the Scorecard results).
We'll continue adding to the above list, so check our
FAQ
for updates. You may also submit improvements not listed above, if you provide justification and evidence to help us understand the complexity and impact of the work.
Only work completed after October 1, 2021 qualifies for SOS rewards.
Upfront funding is available on a limited case by case basis for impactful improvements of moderate to high complexity over a longer time span. Such requests should explain why funding is required upfront and provide a detailed plan of how the improvements will be landed.
How to participate
Review our
FAQ
and fill out
this form
to submit your application.
Please include as much data or supporting evidence as possible to help us evaluate the significance of the project and your improvements.
Reward amounts
Reward amounts are determined based on complexity and impact of work:
$10,000
or more for complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.
$5,000-$10,000
for moderately complex improvements that offer compelling security benefits.
$1,000-$5,000
for submissions of modest complexity and impact.
$505
for small improvements that nevertheless have merit from a security standpoint.
Looking Ahead
The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure. This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF. We welcome
community feedback
and interest from others who want to contribute to the SOS program. Together we can pool our support to give back to the open source community that makes the modern internet possible.
No comments :
Post a Comment
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
No comments :
Post a Comment