Today, we are excited to announce our sponsorship for the Secure Open Source (SOS) pilot program run by the Linux Foundation. This program financially rewards developers for enhancing the security of critical open source projects that we all depend on. We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback.
The impact of the project:How many and what types of users will be affected by the security improvements?Will the improvements have a significant impact on infrastructure and user security?If the project were compromised, how serious or wide-reaching would the implications be?The project’s rankings in existing open source criticality research:Is the project included in the Havard 2 Census Study of most-used packages, or does it have a score of 0.6 or above in the OpenSSF Critically Score project?
What security improvements qualify?
Software supply chain security improvements including hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests specific requirements to consider, such as basic provenance generation and verification.Adoption of software artifact signing and verification. One option to consider is Sigstore’s set of utilities (e.g. cosign).Project improvements that produce higher OpenSSF Scorecard results. For example, a contributor can follow remediation suggestions for the following Scorecard checks:Code-ReviewBranch-ProtectionPinned-DependenciesDependency-Update-ToolFuzzingUse of OpenSSF Allstar and remediation of discovered issues.Earning a CII Best Practice Badge (which also improves the Scorecard results).We’ll continue adding to the above list, so check our FAQ for updates. You may also submit improvements not listed above, if you provide justification and evidence to help us understand the complexity and impact of the work.
Only work completed after October 1, 2021 qualifies for SOS rewards.
Upfront funding is available on a limited case by case basis for impactful improvements of moderate to high complexity over a longer time span. Such requests should explain why funding is required upfront and provide a detailed plan of how the improvements will be landed.
Please include as much data or supporting evidence as possible to help us evaluate the significance of the project and your improvements.
$10,000 or more for complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.$5,000-$10,000 for moderately complex improvements that offer compelling security benefits.$1,000-$5,000 for submissions of modest complexity and impact.$505 for small improvements that nevertheless have merit from a security standpoint.
Looking Ahead