Google has introduced the Secure Open Source (SOS) initiative, which will provide rewards for work related to strengthening the security of critical open source software. A million dollars has been allocated for the first payments, but if the initiative is recognized as successful, investment in the project will continue.
The following awards are provided:
- $10000 or more for complex, significant, and long-term improvements that protect against major vulnerabilities in open source code or infrastructure.
- $5000-$10000 - for medium complexity improvements that have a positive impact on security.
- $1000-$5000 for moderate security enhancements.
- $505 - for small improvements that increase security.
Applications for rewards are accepted only for changes accepted into the composition of projects with a criticality level of at least 0.6 on the OpenSSF Critically Score or included in the list of projects requiring special security review. The nature of the proposed changes should be related to improving security in such areas as strengthening the protection of infrastructure elements (for example, continuous integration processes and distribution of releases), the introduction of verification systems for digital signatures of software product components, increasing the level of the product (peer review, branch protection, Fuzzing testing , protection against attacks through dependencies).
Source: opennet.ru