Google stakes new Secure Open Source rewards program for developers with $1M seed money

2 years ago 295

The SOS program, tally by the Linux Foundation, volition reward developers with perchance much than $10,000 for enhancing the information of captious unfastened root software.

As portion of Google's precocious announced $10 cardinal committedness to cybersecurity defense, the institution announced Friday the sponsorship for the Secure Open Source (SOS) Rewards aviator program tally by the Linux Foundation.

The programme financially rewards developers for improving the information of captious unfastened root projects. It's tally by the Linux Foundation with archetypal sponsorship from the Google Open Source Security Team of $1 million.

"The existing reward programs successful the unfastened root assemblage are chiefly focused connected uncovering vulnerabilities, but this programme is focused connected embedding information arsenic portion of the bundle improvement lifecycle and helping the ecosystem thrive with sustained investments," said Abhishek Arya, main technologist and manager of Google's Open Source Security Team. "Google's concern and committedness to 'shift left' tin halt information vulnerabilities earlier they adjacent happen."

SEE: Security incidental effect policy (TechRepublic Premium)

The SOS programme rewards a wide scope of improvements that proactively harden captious unfastened root projects and supporting infrastructure against exertion and proviso concatenation attacks, Google said successful a property release.

Since determination is nary 1 explanation of what makes an unfastened root task critical, Google said its enactment process volition beryllium holistic. Google volition see the guidelines established by the National Institute of Standards and Technology's explanation of what constitutes captious software.

The programme is initially focused connected rewarding the pursuing work, and Google volition adhd to the database arsenic clip goes on:

Software proviso concatenation information improvements including hardening continuous integration/continuous transportation (CI/CD) pipelines and organisation infrastructure. The SLSA framework suggests circumstantial requirements to consider, specified arsenic basal provenance procreation and verification.
Adoption of bundle artifact signing and verification.
Project improvements that nutrient higher OpenSSF Scorecard results.

Developers whitethorn besides taxable improvements not successful the database truthful agelong arsenic they supply justification and grounds to assistance the SOS programme administrators recognize the complexity and interaction of the completed work. Only enactment completed aft October 1, 2021 qualifies for SOS rewards.

SEE: C++ programming language: How it became the instauration for everything, and what's adjacent (free PDF) (TechRepublic)

Upfront backing volition beryllium disposable connected a lawsuit by lawsuit ground for impactful improvements of mean to precocious complexity implicit a longer clip span.

How tin developers participate, and what are the rewards?

Developers wishing to enactment successful the programme should sojourn the FAQ page and capable retired the Secure Open Source submission form.

Reward amounts are determined based connected the complexity and interaction of work:

$10,000 oregon much for complicated, high-impact and lasting improvements that forestall large vulnerabilities successful the affected codification oregon supporting infrastructure.
$5,000-$10,000 for moderately analyzable improvements that connection compelling information benefits.
$1,000-$5,000 for submissions of humble complexity and impact.
$505 for tiny improvements that nevertheless person merit from a information standpoint.