The pilot initiative, designed to supplement existing vulnerability management programs, pays developers who assist improve the security of critical open-source projects.
The Internet search engine giant has offered $100 million in assistance for initiatives that attempt to repair vulnerabilities in open-source projects as part of its commitment to improving the security of the open-source ecosystem. Google announced support for OSTIF (Open Source Technology Improvement Fund) a few weeks ago.
Compared to other reward vulnerability programs, this SOS pilot program has a broad reach since it comes in support of developers, giving incentives for various changes targeted at strengthening key open-source projects.
According to Google, after a review based on standards from the National Institute of Standards and Technology in response to the recent Executive Order on Cybersecurity, submitted projects will be designated essential.
Other variables taken into account include the project’s impact (in terms of the number of people affected, the impact on infrastructure and user security, and the ramifications of the project’s failure), as well as the project’s standings in open-source criticality research (like the OpenSSF Critically Score project and Havard 2 Census Study of most-used packages).
Initially, incentives will be given for improvements in software supply chain security, such as hardening of CI/CD pipelines and distribution infrastructure, upgrades that contribute to improved OpenSSF Scorecard scores, acceptance of software artifact signing and verification, resolving highlighted problems, and the usage of OpenSSF Allstar, and CII Best Practice Badges.
Only work done after October 1, 2021, will be eligible for SOS awards. Upfront financing may be given on a case-by-case basis for meaningful enhancements of moderate to extreme complexity over a more extended period, Google adds.
Developers may get $10,000 or more as part of the trial program for complicated, high-impact fixes that avoid serious vulnerabilities; between $5,000 and $10,000 for somewhat complex upgrades; between $1,000 and $5,000 for submissions of moderate difficulty; and $505 for minor revisions.
Image: itsecuritywire.com
