Several days agos Google unveiled the Secure Open Source initiative (SOS), what provide bonuses for work related to strengthening critical open source software and to which a million dollars have been allocated for the first payments, but if the initiative is recognized as successful, investment in the project will continue.
Remuneration requests are accepted only for accepted changes in projects with a criticality level of at least 0.6 according to the OpenSSF Critically Score or included in the list of projects that require special security controls.
The nature of the proposed changes should be related to the improvement of security in areas such as strengthening the protection of infrastructure elements (for example, continuous integration and distribution processes), implementing verification systems for digital signatures of components of software products, increase the product level (review, branch protection, Fuzzing testing, protection against dependency attacks).
Over the past year, we made a number of investments to strengthen the security of critical open source projects, and we recently announced our $ 10 billion commitment to cybersecurity defense, including $ 100 million to support third-party foundations that manage the open source security priorities and help fix vulnerabilities.
Regarding the amounts of the bonuses, these will be issued as follows:
- $ 10,000 or more - For introducing long-term, significant, significant, and complex enhancements that protect against serious vulnerabilities in open project code or infrastructure.
- $ 5000- $ 10000 - for upgrades of medium difficulty that have a positive effect on safety.
- $ 1000- $ 5000 for moderate difficulty upgrades to increase safety.
- $ 505 - for small security improvements.
Today, we are pleased to announce our sponsorship of the Secure Open Source (SOS) pilot program led by the Linux Foundation. This program financially rewards developers for improving the security of critical open source projects that we all depend on. We are starting with a $ 1 million investment and plan to expand the program's reach based on community feedback.
Moreover the OSTIF (Open Source Technology Enhancement Fund), created to strengthen the security of open source projects, announced a partnership with Google, which expressed its willingness to fund an independent security audit of 8 projects open source.
With the funds received from Google, it was decided to audit Git, the Lodash JavaScript library, the PHP Laravel framework, the Slf4j Java framework, the Jackson JSON libraries (Jackson-core and Jackson-databind) and the Apache Http components (Httpcomponents-core and Httpcomponents).
Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will extend our in-depth security reviews to more projects vital to the open source ecosystem.
Previously, using the funds received as a result of the collection of donations, the fund OSTIF has already audited the OpenSSL, VeraCrypt, OpenVPN, Monero, Unbound projects DNS and QRL.
Separately, the community has already compiled tools for auditing the PHP Symfony framework. In case of additional funding for the audit, Systemd, Electron, Rails, Drupal, Joomla, WebPack, Reprepro, Ceph, React Native, Salt, Ansible, Angular, Gatsby and Guava projects are also planned.
This marks great success in attracting large corporate donors to support OSTIF's model of improving open source software through security reviews and source code audits.
The choice was made empirically based on a safety impact assessment of the project in the open source ecosystem and the potential benefit to the community by increasing the security of the projects under consideration. For around 100 projects on GitHub, a coefficient was calculated taking into account factors such as the popularity of use as a dependency, infrastructure demand, number of developers, development activity, number of closed and non-closed error messages, number of organizations supporting the project, frequency of updates, history of vulnerability identification, etc. .
Sources: https://ostif.org/, https://security.googleblog.com/