Google offers $1 million sponsorship to secure open source software

Google has announced today a $1 million sponsorship for a new pilot program aimed at enhancing the security of critical open source software projects.

Named Secure Open Source (SOS), the program will be run by the Linux Foundation with initial sponsorship from the Google Open Source Security Team (GOSST).

Through the program, Google aims to provide sponsorships to project maintainers so they can fund plans and solutions to improve the security posture of their code.

Projects with large penetration across industries and which play a crucial role in the software ecosystem will be prioritized in receiving funds.

SOS' initial focus will be on hardening projects against application and supply chain attacks, Google and the Linux Foundation said in a press release today.

Per the project's official website, SOS reviewers will be looking for solutions for issues such as:

• Software supply chain security improvements, including hardening CI/CD pipelines and distribution infrastructure.
• Adoption of software artifact signing and verification.
• Project improvements that produce higher OpenSSF Scorecard results.
• Use of OpenSSF Allstar and remediation of discovered issues.
• Earning a CII Best Practice Badge.

The value of sponsorships will be determined based on complexity and the impact of the proposed solutions:

• $10,000 or more for complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure. 
• $5,000-$10,000 for moderately complex improvements that offer compelling security benefits.
• $1,000-$5,000 for submissions of modest complexity and impact.
• $505 for small improvements that nevertheless have merit from a security standpoint.

"This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF," Google said today.