Google has committed $1 million in funding to the Secure Open Source (SOS) pilot program established by The Linux Foundation—and the company’s investment might not stop there.
“This program financially rewards developers for enhancing the security of critical open source projects that we all depend on,” Google said. “We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback.”
Rewards start at $505 for “small improvements that nevertheless have merit from a security standpoint” and can top $10,000 for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.”
SOS won’t apply to all open source projects. The Linux Foundation said that its criteria for critical projects was informed by the Executive Order on Improving the Nation’s Cybersecurity issued in May and corresponding guidance from the National Institute of Standards and Technology.
The foundation also said that it would consider the impact of the project—such as the importance of its security infrastructure and how many users it affects—as well as its rankings in the Harvard 2 Census Study of most-used packages and an OpenSSF Critically Score of 0.6 at minimum.
Google and The Linux Foundation said efforts to improve open source security won’t stop here:
The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure. This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF.
More information about how the SOS pilot program operates is available via its official website. Developers who believe their contributions to a project are eligible for a reward via the program can submit their work via a Google Form (how else?) for evaluation on “a rolling basis.”