sos.dev Open in urlscan Pro
2a05:d014:275:cb01:fc7b:9889:f71b:f9fa  Public Scan

Form analysis
0 forms found in the DOM

Text Content

SECURE OPEN SOURCE REWARDS

The Secure Open Source Rewards pilot program financially rewards developers for
enhancing the security of critical open source projects that we all depend on.
The pilot program is run by the Linux Foundation with initial sponsorship from
the Google Open Source Security Team (GOSST).


WHY SOS?

SOS rewards a very broad range of improvements that proactively harden critical
open source projects and supporting infrastructure against application and
supply chain attacks. To complement existing programs that reward vulnerability
management, SOS’s scope is comparatively wider in the type of work it rewards,
in order to support project developers.


WHAT PROJECTS ARE IN SCOPE?

Since there is no one definition of what makes an open source project critical,
our selection process will be holistic. During submission evaluation we will
consider the guidelines established by the National Institute of Standards and
Technology’s definition in response to the recent Executive Order on
Cybersecurity along with criteria listed below:

 * The impact of the project:
   * How many and what types of users will be affected by the security
     improvements?
   * Will the improvements have a significant impact on infrastructure and user
     security?
   * If the project were compromised, how serious or wide-reaching would the
     implications be?
     
     
 * The project’s rankings in existing open source criticality research:
   * Is the project included in the Harvard 2 Census Study of most-used
     packages, or does it have a score of 0.7 or above in the OpenSSF
     Criticality Score project?

We will consider applications on an individual basis, so even if your project
doesn’t meet all the criteria, we still encourage you to apply and provide your
own criticality justification.


WHAT SECURITY IMPROVEMENTS QUALIFY?

The program is initially focused on rewarding the following work:

 * Software supply chain security improvements including hardening CI/CD
   pipelines and distribution infrastructure. The SLSA framework suggests
   specific requirements to consider, such as basic provenance generation and
   verification.
 * Adoption of software artifact signing and verification. One option to
   consider is Sigstore’s set of utilities (e.g. cosign).
 * Project improvements that produce higher OpenSSF Scorecard results. For
   example, a contributor can follow remediation suggestions for the following
   Scorecard checks:
   * Code-Review
   * Branch-Protection
   * Pinned-Dependencies
   * Dependency-Update-Tool
   * Fuzzing
 * Use of OpenSSF Allstar and remediation of discovered issues.
 * Earning a CII Best Practice Badge (which also improves the Scorecard
   results).
 * Adoption of SLSA builders at level 3 and above, e.g., using the SLSA GitHub
   generator project.
 * Fixing issues discovered by OSS-Fuzz that exceeded disclosure timeline: all
   open OSS-Fuzz findings.

We’ll continue adding to the above list, so check our FAQ for updates. You may
also submit improvements not listed above, if you provide justification and
evidence to help us understand the complexity and impact of the work.

Only work completed after October 1, 2021 qualifies for SOS rewards.

Upfront funding is available on a limited case by case basis for impactful
improvements of moderate to high complexity over a longer time span. Such
requests should explain why funding is required upfront and provide a detailed
plan of how the improvements will be landed.


HOW TO PARTICIPATE

Review our FAQ and fill out this form to submit your application.

Please include as much data or supporting evidence as possible to help us
evaluate the significance of the project and your improvements.


REWARD AMOUNTS

Reward amounts are determined based on complexity and impact of work:

Amount Nature of improvement $10,000 or more Complicated, high-impact and
lasting improvements that almost certainly prevent major vulnerabilities in the
affected code or supporting infrastructure. $5,000-$10,000 Moderately complex
improvements that offer compelling security benefits. $1,000-$5,000 Submissions
of modest complexity and impact. $505 Small improvements that nevertheless have
merit from a security standpoint.


LOOKING AHEAD

The SOS program is part of a broader effort to address a growing truth: the
world relies on open source software, but widespread support and financial
contributions are necessary to keep that software safe and secure. This $1
million investment is just the beginning—we envision the SOS pilot program as
the starting point for future efforts that will hopefully bring together other
large organizations and turn it into a sustainable, long-term initiative under
the OpenSSF. We welcome community feedback and interest from others who want to
contribute to the SOS program. Together we can pool our support to give back to
the open source community that makes the modern internet possible.


FREQUENTLY ASKED QUESTIONS

Q: How can my organization contribute to SOS?
A: If your organization is interested in supporting SOS through a donation,
please reach out to us. Linux Foundation membership is not required.
Q: What if maintainers don’t accept my changes?
A: Only changes that have been accepted by the maintainers qualify for SOS
rewards.
Q: Can vendors participate?
A: Yes.
Q: When will I receive my award? How will it be paid out?
A: We will evaluate submissions on a rolling basis and notify successful
applicants as soon as possible. The awards will be paid out through the Linux
Foundation Crowdfunding platform.
Q: Will award winners be announced publicly, or can I choose to remain
anonymous?
A: If you are chosen for an award, we will need your contact details in order to
pay you. At this time, though, rewards will not be announced publicly.
Q: I’d like to suggest a larger improvement for advance funding. How will you
choose between applicants if someone else proposes the same improvement?
A: Collaboration is an integral part of open source development and is
particularly encouraged for submissions that require advance funding, as it
increases the likehood of success. All other things being equal, submissions
that demonstrate better overall preparedness to land the improvements are more
likely to be selected.
Q: Can I make multiple submissions?
A: Yes, multiple submissions are allowed, but we encourage improvements to be
done in larger batches when possible. For example, it is to your benefit to
improve all Scorecards checks before submission, rather than making multiple
submissions with improvements to individual Scorecards checks.
Q: Who is on the panel evaluating SOS submissions?
A: The panel will initially consist of representatives from the Linux Foundation
and Google Open Source Security Team (GOSST). In the future, we plan to extend
panel membership to other organizations.
Q: When will you stop accepting submissions for the pilot round of awards? Is
there a deadline for full consideration?
A: There's currently no deadline for submissions.
Q: Is there anyone who is not eligible for an award?
A: We are unable to issue rewards to individuals who are on sanctions lists, or
who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on
sanctions lists. There may be additional restrictions on your ability to enter
depending upon your local law.
Q: How is SOS different from a bug bounty or vulnerability rewards program?
A: SOS rewards project-wide improvements and the implementation of open source
security best practices. It is not a bug bounty program and does not reward
reports of specific project vulnerabilities. Any vulnerabilities found in a
project should be reported according to the project's security disclosure
policy, not through this program.

© 2022 The Linux Foundation. All rights reserved. The Linux Foundation has
registered trademarks and uses trademarks. For a list of trademarks of The Linux
Foundation, please see our Trademark Usage page.