Google commits $1M to new Linux Foundation open source security rewards program

Enterprise

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google has announced that it’s sponsoring a new open source security program hosted by the Linux Foundation. The Secure Open Source (SOS) Rewards pilot program provides financial incentives for developers working on security around critical open source projects.

Open source software plays an integral part of many critical infrastructure and national security systems, however recent data suggests that “upstream” attacks on open source software have increased in the past year as bad actors seek new ways to infiltrate the software supply chain. Moreover, countless organizations — from government agencies to hospitals and corporations — have been hit by targeted software supply chain attacks, leading President Biden to issue an executive order outlining measures to combat it.

As such, Google recently unveiled a $10 billion five-year commitment to support President Biden’s plans to bolster U.S. cyber defenses, including a $100 million wedge to fund third-party foundations that support open source security. A few weeks back, Google revealed it was giving financial backing to the Open Source Technology Improvement Fund (OSTIF), with plans to initially sponsor security reviews in eight critical open source software projects. This latest announcement builds on that, with Google now committing $1 million to the SOS Rewards program.

Rewarding

Rewards can vary from $505 to $10,000 or more depending on the scope and significance of the project in terms of industry adoption and the potential impact the improvements will have.

While the SOS Rewards program does bear some similarities to a traditional bug bounty program, SOS Rewards is different in that it isn’t looking to reward specific project vulnerability discoveries and fixes — it’s about supporting “project-wide improvements and the implementation of open source security best practices,” according to the project’s FAQ section.

For now, only representatives from Google’s open source security team (GOSST) and the Linux Foundation will sit on the evaluating panel, though plans are afoot to extend membership to other organizations in the future.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member