Introducing the Safe Open Supply Pilot Program

Over the previous 12 months we have now made various investments to strengthen the safety of important open supply initiatives, and just lately introduced our $10 billion dedication to cybersecurity protection together with $100 million to assist third-party foundations that handle open supply safety priorities and assist repair vulnerabilities.

Right this moment, we’re excited to announce our sponsorship for the Safe Open Supply (SOS) pilot program run by the Linux Basis. This program financially rewards builders for enhancing the safety of important open supply initiatives that all of us depend upon. We’re beginning with a $1 million funding and plan to develop the scope of this system primarily based on group suggestions.

Since there isn’t any one definition of what makes an open supply undertaking important, our choice course of might be holistic. Throughout submission analysis we are going to take into account the rules established by the Nationwide Institute of Requirements and Expertise’s definition in response to the current Government Order on Cybersecurity together with standards listed under:

• The influence of the undertaking:
• What number of and what forms of customers might be affected by the safety enhancements?
• Will the enhancements have a big influence on infrastructure and consumer safety?
• If the undertaking had been compromised, how severe or wide-reaching would the implications be?

• The undertaking’s rankings in current open supply criticality analysis:

What safety enhancements qualify? 

This system is initially targeted on rewarding the next work:

• Software program provide chain safety enhancements together with hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to contemplate, comparable to fundamental provenance technology and verification.
• Adoption of software program artifact signing and verification. One possibility to contemplate is Sigstore’s set of utilities (e.g. cosign).
• Venture enhancements that produce greater OpenSSF Scorecard outcomes. For instance, a contributor can observe remediation recommendations for the next Scorecard checks:
• Code-Assessment
• Department-Safety
• Pinned-Dependencies
• Dependency-Replace-Instrument
• Fuzzing
• Use of OpenSSF Allstar and remediation of found points.
• Incomes a CII Greatest Follow Badge (which additionally improves the Scorecard outcomes).

We’ll proceed including to the above checklist, so examine our FAQ for updates. You may additionally submit enhancements not listed above, should you present justification and proof to assist us perceive the complexity and influence of the work.

Solely work accomplished after October 1, 2021 qualifies for SOS rewards.

Upfront funding is out there on a restricted case by case foundation for impactful enhancements of average to excessive complexity over an extended time span. Such requests ought to clarify why funding is required upfront and supply an in depth plan of how the enhancements might be landed.

Assessment our FAQ and fill out this kind to submit your software.

Please embrace as a lot information or supporting proof as potential to assist us consider the importance of the undertaking and your enhancements. 

Reward quantities are decided primarily based on complexity and influence of labor:

• $10,000 or extra for sophisticated, high-impact and lasting enhancements that just about definitely forestall main vulnerabilities within the affected code or supporting infrastructure.
• $5,000-$10,000 for reasonably advanced enhancements that supply compelling safety advantages.
• $1,000-$5,000 for submissions of modest complexity and influence.
• $505 for small enhancements that nonetheless have benefit from a safety standpoint.

Wanting Forward

The SOS program is a part of a broader effort to deal with a rising fact: the world depends on open supply software program, however widespread assist and monetary contributions are essential to preserve that software program secure and safe. This $1 million funding is just the start—we envision the SOS pilot program as the place to begin for future efforts that may hopefully convey collectively different massive organizations and switch it right into a sustainable, long-term initiative beneath the OpenSSF. We welcome group suggestions and curiosity from others who wish to contribute to the SOS program. Collectively we are able to pool our assist to offer again to the open supply group that makes the trendy web potential.