Introducing the Safe Open Supply Pilot Program

Over the previous 12 months now we have made plenty of investments to strengthen the safety of important open supply tasks, and lately introduced our $10 billion dedication to cybersecurity protection together with $100 million to help third-party foundations that handle open supply safety priorities and assist repair vulnerabilities.

In the present day, we’re excited to announce our sponsorship for the Safe Open Supply (SOS) pilot program run by the Linux Basis. This program financially rewards builders for enhancing the safety of important open supply tasks that all of us depend upon. We’re beginning with a $1 million funding and plan to develop the scope of this system primarily based on group suggestions.

Since there is no such thing as a one definition of what makes an open supply mission important, our choice course of shall be holistic. Throughout submission analysis we are going to think about the rules established by the Nationwide Institute of Requirements and Know-how’s definition in response to the current Government Order on Cybersecurity together with standards listed beneath:

• The impression of the mission:
• What number of and what kinds of customers shall be affected by the safety enhancements?
• Will the enhancements have a major impression on infrastructure and consumer safety?
• If the mission have been compromised, how severe or wide-reaching would the implications be?

• The mission’s rankings in present open supply criticality analysis:

What safety enhancements qualify? 

This system is initially centered on rewarding the next work:

• Software program provide chain safety enhancements together with hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests particular necessities to contemplate, comparable to fundamental provenance era and verification.
• Adoption of software program artifact signing and verification. One possibility to contemplate is Sigstore’s set of utilities (e.g. cosign).
• Challenge enhancements that produce greater OpenSSF Scorecard outcomes. For instance, a contributor can comply with remediation ideas for the next Scorecard checks:
• Code-Overview
• Department-Safety
• Pinned-Dependencies
• Dependency-Replace-Software
• Fuzzing
• Use of OpenSSF Allstar and remediation of found points.
• Incomes a CII Finest Observe Badge (which additionally improves the Scorecard outcomes).

We’ll proceed including to the above checklist, so examine our FAQ for updates. You might also submit enhancements not listed above, for those who present justification and proof to assist us perceive the complexity and impression of the work.

Solely work accomplished after October 1, 2021 qualifies for SOS rewards.

Upfront funding is accessible on a restricted case by case foundation for impactful enhancements of average to excessive complexity over an extended time span. Such requests ought to clarify why funding is required upfront and supply an in depth plan of how the enhancements shall be landed.

Overview our FAQ and fill out this type to submit your software.

Please embody as a lot information or supporting proof as attainable to assist us consider the importance of the mission and your enhancements. 

Reward quantities are decided primarily based on complexity and impression of labor:

• $10,000 or extra for classy, high-impact and lasting enhancements that just about definitely forestall main vulnerabilities within the affected code or supporting infrastructure.
• $5,000-$10,000 for reasonably advanced enhancements that supply compelling safety advantages.
• $1,000-$5,000 for submissions of modest complexity and impression.
• $505 for small enhancements that however have advantage from a safety standpoint.

Trying Forward

The SOS program is a part of a broader effort to handle a rising fact: the world depends on open supply software program, however widespread help and monetary contributions are essential to preserve that software program secure and safe. This $1 million funding is just the start—we envision the SOS pilot program as the start line for future efforts that may hopefully carry collectively different massive organizations and switch it right into a sustainable, long-term initiative below the OpenSSF. We welcome group suggestions and curiosity from others who need to contribute to the SOS program. Collectively we will pool our help to offer again to the open supply group that makes the fashionable web attainable.