Google introduced the Secure Open Source (SOS) initiative, which will provide bonuses for work related to hardening critical open source software. A million dollars have been allocated for the first payments, but if the initiative is recognized as successful, the investment in the project will continue.
The following bonuses are provided:
- $ 10,000 or more – for introducing complex, significant and relevant in the long term improvements that provide protection against serious vulnerabilities in the code or infrastructure of open projects.
- $ 5000- $ 10000 – for improvements of medium difficulty that have a positive effect on safety.
- $ 1000- $ 5000 for moderate difficulty improvements that increase security.
- $ 505 – for small security improvements.
Remuneration applications are accepted only for changes accepted in projects with a criticality level of at least 0.6 according to the OpenSSF Critically Score rating or included in the list of projects requiring special security checks. The nature of the proposed changes should be related to improving security in areas such as strengthening the protection of infrastructure elements (for example, continuous integration and distribution processes), implementing verification systems for digital signatures of software product components, increasing the level of the product (reviewing, branch protection, Fuzzing testing , protection against dependency attacks).