Google Contributes $1M to Reward Developers for OSS Security
Google today launched a Secure Open Source (SOS) pilot program, managed by the Linux Foundation, through which it will set aside $1 million to compensate developers that work on initiatives to better secure open source software.
Abhishek Arya, principal engineer and manager for the Google open source security team, said this effort is the latest installment of a $10 billion commitment Google previously made to open source security. The decision to compensate developers for their efforts will be based on the guidelines established by the National Institute of Standards and Technology (NIST) arm of the U.S. Department of Commerce in response to the recent executive order on cybersecurity issued by the Biden administration.
Other factors include whether the project is included in the Harvard 2 Census Study of most-used packages and whether the issue being resolved has a score of 0.6 or above in the OpenSSF Criticality Score project.
Rewards will be based on the complexity and impact of work ranging from $10,000 or more for complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities to $505 for small improvements that have merit from a security standpoint. Upfront funding is available on a limited basis for impactful improvements of moderate to high complexity over a longer time span. Those requests will require a detailed plan of how the improvements will be delivered.
Specifically, the Linux Foundation is looking to encourage hardening continuous integration/continuous delivery (CI/CD) pipelines and distribution infrastructure or any other tasks defined under the Supply Chain Levels for Software Artifacts framework that addresses everything from code reviews to dependency updates. The program will also encourage maintainers of open source projects to adopt software artifact signing and verification.
The Linux Foundation is also encouraging open source projects to earn a core infrastructure initiative (CII) best practice badge that it administers.
Arya says the $1 million investment is the beginning of an effort from Google and the Linux Foundation; the hope is that other organizations will contribute financial resources to reward developers for time and effort dedicated to improving cybersecurity.
When it comes to software security, the challenge is that most developers are squarely focused on innovation. Security is generally viewed by most developers as a set of less-glamorous programming tasks that some other open source contributor will address. As a result, the number of developers focused on open source security issues is relatively low. Google is hoping that, if developers are compensated for those efforts, a small cadre of open source security-focused developers might emerge, noted Arya.
In the wake of a series of high-profile software supply chain breaches, there is now a lot more focus on open source software security. Most applications today, to varying degrees, make use of open source components that are not all equally secure. Cybersecurity teams regularly find themselves scanning for vulnerabilities that may exist in older versions of open source software or those that may have just been discovered. The more secure open source software is to start with, the less frequent that tedious task becomes.
