Secure Open Source Rewards

The Secure Open Source Rewards pilot program financially rewarded developers for enhancing the security of critical open source projects that we all depend on. The pilot program was run by the Linux Foundation with initial sponsorship from the Google Open Source Security Team (GOSST).


Status of Secure Open Source Rewards program

The Secure Open Source (SOS) program was established as a program to address the very long tail of open source security. The idea was simple: create financial incentives to find and fix security issues in all open source projects. After 24 months in action, the program disbursed $353,000 for 189 improvements. We are particularly grateful to all the contributors for their efforts. 

Although these results were positive, they also made clear that this approach will not scale to the problem at hand; therefore the SOS program has been decommissioned because alternative approaches exist: The Linux Foundation & Google continue to support individual security work through scaled approaches through the Linux Foundation’s Alpha-Omega project and individual rewards through Google’s Patch Rewards Program

The Patch Rewards Program has been around since 2013 and seeks to reward patches (or pull requests) that improve the security of an in-scope project. The Alpha-Omega project mission is to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. Since 2022, Alpha-Omega has disbursed over $8M in grants to improve open source security. For more information please visit the Patch Rewards Program and Alpha-Omega websites respectively.