Introducing the Safe Open Supply Pilot Program



Posted by Meder Kydyraliev and Kim Lewandowski, Google Open Supply Safety TeamOver the previous 12 months we’ve got made numerous investments to strengthen the safety of crucial open supply initiatives, and not too long ago introduced our $10 billion dedication to cybersecurity protection together with $100 million to assist third-party foundations that handle open supply safety priorities and assist repair vulnerabilities. Right this moment, we’re excited to announce our sponsorship for the Safe Open Supply (SOS) pilot program run by the Linux Basis. This program financially rewards builders for enhancing the safety of crucial open supply initiatives that all of us depend upon. We’re beginning with a $1 million funding and plan to increase the scope of this system based mostly on group suggestions.Why SOS?SOS rewards a really broad vary of enhancements that proactively harden crucial open supply initiatives and supporting infrastructure in opposition to software and provide chain assaults. To enrich present applications that reward vulnerability administration, SOS’s scope is relatively wider in the kind of work it rewards, with a view to assist mission builders.What initiatives are in scope?Since there isn’t a one definition of what makes an open supply mission crucial, our choice course of will likely be holistic. Throughout submission analysis we’ll take into account the rules established by the Nationwide Institute of Requirements and Expertise’s definition in response to the latest Govt Order on Cybersecurity together with standards listed under:The impression of the mission:What number of and what kinds of customers will likely be affected by the safety enhancements?Will the enhancements have a big impression on infrastructure and person safety?If the mission had been compromised, how critical or wide-reaching would the implications be?The mission’s rankings in present open supply criticality analysis:What safety enhancements qualify? This system is initially targeted on rewarding the next work:Software program provide chain safety enhancements together with hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to contemplate, comparable to primary provenance era and verification.Adoption of software program artifact signing and verification. One possibility to contemplate is Sigstore’s set of utilities (e.g. cosign).Undertaking enhancements that produce larger OpenSSF Scorecard outcomes. For instance, a contributor can observe remediation ideas for the next Scorecard checks:Code-ReviewBranch-ProtectionPinned-DependenciesDependency-Replace-ToolFuzzingUse of OpenSSF Allstar and remediation of found points.Incomes a CII Finest Apply Badge (which additionally improves the Scorecard outcomes).We’ll proceed including to the above listing, so test our FAQ for updates. You may additionally submit enhancements not listed above, when you present justification and proof to assist us perceive the complexity and impression of the work.Solely work accomplished after October 1, 2021 qualifies for SOS rewards.Upfront funding is on the market on a restricted case by case foundation for impactful enhancements of reasonable to excessive complexity over an extended time span. Such requests ought to clarify why funding is required upfront and supply an in depth plan of how the enhancements will likely be landed.Find out how to participateReview our FAQ and fill out this kind to submit your software.Please embody as a lot knowledge or supporting proof as potential to assist us consider the importance of the mission and your enhancements. Reward amountsReward quantities are decided based mostly on complexity and impression of labor:$10,000 or extra for classy, high-impact and lasting enhancements that just about definitely stop main vulnerabilities within the affected code or supporting infrastructure.$5,000-$10,000 for reasonably complicated enhancements that provide compelling safety advantages.$1,000-$5,000 for submissions of modest complexity and impression.$505 for small enhancements that nonetheless have advantage from a safety standpoint.Wanting AheadThe SOS program is a part of a broader effort to handle a rising reality: the world depends on open supply software program, however widespread assist and monetary contributions are essential to maintain that software program protected and safe. This $1 million funding is only the start—we envision the SOS pilot program as the place to begin for future efforts that may hopefully deliver collectively different giant organizations and switch it right into a sustainable, long-term initiative beneath the OpenSSF. We welcome group suggestions and curiosity from others who wish to contribute to the SOS program. Collectively we will pool our assist to offer again to the open supply group that makes the fashionable web potential.