On the 1st of October, the Linux Foundation introduced a bounty program (Secure Open Source) to strengthen the security of widely used open source projects. Today, Google has funded the prize pot with an additional $1 million, to be awarded to developers that successfully contribute to the program.
Secure Open Source (SOS) is not primarily about squashing bugs. The Linux Foundation invites every developer to find and fix vulnerabilities in open source projects, even when a vulnerability is at such an early stage that it is not yet considered to be a “bug”.
What does a “critical” open source project entail?
The entry threshold differs from projects that are typically described as “bounty programs”. In the case of SOS, participants do not necessarily have to focus on a pre-defined operating system or device. Security improvements in any “critical open source” project are eligible for the prize pool, which was added to by Google today. SOS only loosely defines “critical open source projects” and evaluates a project’s eligibility per application, largely based on the NIST’s definition of ‘Critical Software’.
What does a “security enhancement” entail?
The conditions that a security enhancement must meet to qualify for a sum of the prize money are more set in stone than the aforementioned “criticality” of an open source project. Strengthening CI/CD pipelines and distribution infrastructures, the introduction of software artifact signing, and enhancements that lead to a higher score on the OpenSSF Scorecard are some of the conditions listed by the Linux Foundation.
The amount of the bounty paid out depends on the impact of a security enhancement. Minor improvements are rewarded with $505, regardless of impact. Great, high-impact enhancements are eligible for the top prize of $10,000.
Follow the money
Google’s million-dollar addition to the prize pool is one of the results of an investment round secured by the Biden-Harris Administration on August the 26th, 2021. In response to a series of U.S. cyberattacks (including the SolarWinds attacks we reported on earlier), the administration sought support from today’s largest technology companies. Google pledged $10 billion, to be distributed within five years across a variety of security programs. Among them: Secure Open Source, as mentioned above.