Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google has announced that it’s sponsoring a new open source security program hosted by the Linux Foundation. The Secure Open Source (SOS) Rewards pilot program provides financial incentives for developers working on security around critical open source projects.

Open source software plays a key role in many essential infrastructure and national security systems, but recent data suggests “upstream” attacks on open source software have increased in the past year as bad actors seek new ways to infiltrate the software supply chain. Moreover, countless organizations — from government agencies to hospitals and corporations — have been hit by targeted software supply chain attacks, leading U.S. President Biden to issue an executive order outlining measures to combat them.

Google recently unveiled a $10 billion five-year commitment to support Biden’s plan to bolster U.S. cyber defenses, including a $100 million pledge to fund third-party foundations that support open source security. A few weeks ago, Google revealed it was providing financial backing to the Open Source Technology Improvement Fund (OSTIF), with plans to initially sponsor security reviews in eight critical open source software projects. This latest announcement builds on that news, with Google now committing $1 million to the SOS Rewards program.

Rewarding

Rewards can vary from $505 to $10,000 or more, depending on the scope and significance of the project, in terms of industry adoption and the potential impact of improvements.

While the SOS Rewards program bears some similarities to a traditional bug bounty program, it isn’t targeted at specific project vulnerability discoveries and fixes. Instead, it aims to support “project-wide improvements and the implementation of open source security best practices,” according to the SOS Rewards FAQ section.

For now, only representatives from Google’s open source security team (GOSST) and the Linux Foundation will sit on the evaluating panel, though there are plans to extend membership to other organizations in the future.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member