The Secure Open Source Rewards pilot program financially rewards developers for enhancing the security of critical open source projects that we all depend on. The pilot program is run by the Linux Foundation with initial sponsorship from the Google Open Source Security Team (GOSST).
Available funding for 2023 has been completely allocated, so no new submissions are being accepted at this time. Please stay tuned for an annual report that details our 2023 results and plans for 2024.
SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks. To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.
Since there is no one definition of what makes an open source project critical, our selection process will be holistic. During submission evaluation we will consider the guidelines established by the National Institute of Standards and Technology’s definition in response to the recent Executive Order on Cybersecurity along with criteria listed below:
- The impact of the project:
- How many and what types of users will be affected by the security improvements?
- Will the improvements have a significant impact on infrastructure and user security?
- If the project were compromised, how serious or wide-reaching would the implications be?
- The project’s rankings in existing open source criticality research:
We will consider applications on an individual basis, so even if your project doesn’t meet all the criteria, we still encourage you to apply and provide your own criticality justification.
The program is initially focused on rewarding the following work:
- Software supply chain security improvements including hardening CI/CD pipelines and distribution infrastructure. The SLSA framework suggests specific requirements to consider, such as basic provenance generation and verification.
- Adoption of software artifact signing and verification. One option to consider is Sigstore’s set of utilities (e.g. cosign).
- Project improvements that produce higher OpenSSF Scorecard results. For example, a contributor can follow remediation suggestions for the following Scorecard checks:
- Use of OpenSSF Allstar and remediation of discovered issues.
- Earning a CII Best Practice Badge (which also improves the Scorecard results).
- Adoption of SLSA builders at level 3 and above, e.g., using the SLSA GitHub generator project.
- Fixing issues discovered by OSS-Fuzz that exceeded disclosure timeline: all open OSS-Fuzz findings. You will be rewarded based on the impact of the fix, rather than the effort. A small change that fixes a significant vulnerability in a critical project may be rewarded more significantly than a large change with minimal impact to the user.
We’ll continue adding to the above list, so check our FAQ for updates. You may also submit improvements not listed above, if you provide justification and evidence to help us understand the complexity and impact of the work.
Only work completed after October 1, 2021 qualifies for SOS rewards.
Upfront funding is available on a limited case by case basis for impactful improvements of moderate to high complexity over a longer time span. Such requests should explain why funding is required upfront and provide a detailed plan of how the improvements will be landed.
Please include as much data or supporting evidence as possible to help us evaluate the significance of the project and your improvements.
Reward amounts are determined based on complexity and impact of work:
|Nature of improvement
|$10,000 or more
|Complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.
|Moderately complex improvements that offer compelling security benefits.
|Submissions of modest complexity and impact.
|Small improvements that nevertheless have merit from a security standpoint.
|Extra-small improvements (one or two line changes).
Examples of how specific changes may map to award amounts:
- Updating token permissions: XS-S
- Adoption of OSSF Scorecard: XS-S
- Adoption of artifact signing and verification: S-M
- Adoption of SLSA builders: S-M
- Adoption of Fuzzing: S-M
- Fixing issues found by fuzzing: S-M
- Fixing issues found by fuzzing with a demonstration of an attacker controlling execution flow: M-L
- Implementing ecosystem wide security improvements: L-XL
These examples of award amounts are for illustrative purposes only. We reserve the right to be subjective when determining award amounts.
The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure. This $1 million investment is just the beginning—we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF. We welcome community feedback and interest from others who want to contribute to the SOS program. Together we can pool our support to give back to the open source community that makes the modern internet possible.