Google is backing a new project from the Linux Foundation to the tune of $1 million that aims to bolster the security of critical open-source projects.
Rather than a bug bounty, Google’s latest investment – a part of its $10 billion pledge to President Biden’s cybersecurity push – seeks to address potential security issues before they become bugs through improvements in hardening software against attacks.
Dubbed Secure Open Source (SOS), the pilot program run by the Linux Foundation, “financially rewards developers for enhancing the security of critical open-source projects”.
The rewards range from “$10,000 or more” for hardening software in a way that prevents major bugs to $505 for “small improvements” that have merit, according to a Google blogpost.
Rewards of between $5,000 to $10,000 are available for “moderately complex improvements that offer compelling security benefits” while rewards of $1,000 to $5,000 are for for solutions that display “modest complexity and impact”.
“We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback,” say members of the Google Open Source Security Team.
The program aims to support projects that proactively harden critical open-source projects and supporting infrastructure against application and supply chain attacks.
Software supply chains came into focus after the Kremlin-backed cyberattack on US government agencies and tech firms via a poisoned update from enterprise software firm, SolarWinds
SolarWinds wasn’t the first supply chain attack. NotPetya, the 2017 ransomware attack that was also blamed on Kremlin-backed hackers, was another example.
European cybersecurity think tank ENISA is also worried about software supply chain attacks, urging organizations to vet and document software suppliers, define their risk, and monitor software supply chains.
Open-source software presents another challenge that Google is attempting to address through SOS: the funding gap for software projects that are largely run on a voluntary basis. In other words, these projects need money to deliver security.
“The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure,” Google notes.
“We envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF,” it adds.
Google and the OpenSSF – or the Open Source Security Foundation – earlier this year backed this goal with the launch of OpenSSF security scorecards, which automatically check software.
Via a risk score, that initiative aims to lower the cost of making secure software and bumping it up on the list of priorities by helping developers evaluate security when changing packages in a project’s supply chain.
The new rewards are linked to this score card and Google’s Supply chain Levels for Software Artifacts framework, or SLSA. All new reward submissions for SOS rewards will be assessed by the Linux Foundation and Google Open Source Security Team (GOSST). But the project team emphasizes that it is not a bug bounty.
“It is not a bug bounty program and does not reward reports of specific project vulnerabilities. Any vulnerabilities found in a project should be reported according to the project’s security disclosure policy, not through this program,” the SOS page notes.