A new program is aiming to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.
The Secure Open Source Rewards (SOS.dev) scheme will be broader than current bug bounty programs, according to its backers.
The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.
Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.
Save Our Software
Secure Open Source Rewards will pick eligible projects based on the NIST definition of ‘critical software’, as well as the extent of the security improvements and the number of users who stand to benefit.
The backers will also consider the seriousness of any compromise of the project, and where the project ranks in open source criticality research, including the Harvard 2 Census Study of most-used packages, and the OpenSSF Criticality Score project rankings.
Secure Open Source Rewards are looking for supply chain security improvements, improvement that give higher OpenSSF Criticality Scorecard results, adopt software artifact signing and verification, and other best practise measures.
Other improvements will be added to the aims as SOS.dev evolves.
Million-dollar funding
The Secure Open Source Rewards scheme differs from conventional bug bounty programs as it covers security improvements by project developers rather than just vulnerabilities.
It will also offer a limited amount of upfront funding for projects looking to make longer-term security improvements.
The initiative comes as organizations move to upgrade security for critical infrastructure and applications. More attention is being focused on software supply chains, including the role of vital open source components across the ecosystem.
“A lot of commercial and open source solutions, including those used by CNI, operate critical infrastructure relying on open source libraries including OpenSSL and Log4j, of which we have seen repeated attacks in the past,” Steven Sim, president of the ISACA Singapore chapter and chair of the OT-ISAC executive committee, told The Daily Swig.
“If we don’t do anything right now about these Achilles’ heels, we will continue to see massive breaches as a result of software supply chain attacks.”
Andrew Martin, CEO at ControlPlane and CISO at OpenUK, added: “Supply chain security starts with the initial contributor and the security of their coding practices, computing environment, and build systems.
“Organizations need to be aware of all the components in development and production systems, including open source.
“The Linux Foundation’s OpenSSF and CNCF TAG Security groups are focused on critical and cloud native software respectively, and SOS.dev occupies a more developer-focused space, and is additionally supported by Google GOSST team.
“The latter is also supporting the Kubernetes-based kCTF Vulnerability Rewards Program (VRP), which looks to pay researchers for escaping containers and attacking the Linux Kernel.
“These initiatives are seeing dramatically increasing payouts commensurate with the level of skill required to escape these sandboxes and applications, and together are shining a light of the risk of untrusted third-party code making its way past the scrutiny of vulnerability researchers.”
SOS.dev is run by the Linux Foundation with sponsorship from the Google Open Source Security Team, with $1 million of initial funding.