The SOS program, run by the Linux Basis, will reward builders with doubtlessly greater than $10,000 for enhancing the safety of essential open supply software program.
As a part of Google’s lately introduced $10 billion dedication to cybersecurity protection, the corporate introduced Friday the sponsorship for the Safe Open Supply (SOS) Rewards pilot program run by the Linux Basis.
This system financially rewards builders for enhancing the safety of essential open supply tasks. It is run by the Linux Basis with preliminary sponsorship from the Google Open Supply Safety Workforce of $1 million.
“The prevailing reward packages within the open supply neighborhood are primarily centered on discovering vulnerabilities, however this program is concentrated on embedding safety as a part of the software program growth lifecycle and serving to the ecosystem thrive with sustained investments,” stated Abhishek Arya, principal engineer and supervisor of Google’s Open Supply Safety Workforce. “Google’s funding and dedication to ‘shift left’ can cease safety vulnerabilities earlier than they even occur.”
SEE: Safety incident response coverage (TechRepublic Premium)
The SOS program rewards a broad vary of enhancements that proactively harden essential open supply tasks and supporting infrastructure in opposition to utility and provide chain assaults, Google stated in a press launch.
Since there is no such thing as a one definition of what makes an open supply venture essential, Google stated its choice course of can be holistic. Google will take into account the rules established by the Nationwide Institute of Requirements and Expertise’s definition of what constitutes essential software program.
This system is initially centered on rewarding the next work, and Google will add to the listing as time goes on:
Software program provide chain safety enhancements together with hardening steady integration/steady supply (CI/CD) pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to contemplate, corresponding to primary provenance era and verification.
Adoption of software program artifact signing and verification.
Undertaking enhancements that produce greater OpenSSF Scorecard outcomes.
Builders can also submit enhancements not within the listing as long as they supply justification and proof to assist the SOS program directors perceive the complexity and impression of the finished work. Solely work accomplished after October 1, 2021 qualifies for SOS rewards.
SEE: C++ programming language: The way it grew to become the inspiration for all the things, and what’s subsequent (free PDF) (TechRepublic)
Upfront funding can be accessible on a case by case foundation for impactful enhancements of reasonable to excessive complexity over an extended time span.
How can builders take part, and what are the rewards?
Builders wishing to take part in this system ought to go to the FAQ web page and fill out the Safe Open Supply submission type.
Reward quantities are decided primarily based on the complexity and impression of labor:
$10,000 or extra for classy, high-impact and lasting enhancements that forestall main vulnerabilities within the affected code or supporting infrastructure.
$5,000-$10,000 for reasonably advanced enhancements that provide compelling safety advantages.
$1,000-$5,000 for submissions of modest complexity and impression.
$505 for small enhancements that however have advantage from a safety standpoint.