Few companies are as devoted to the cause of open-source software as Google LLC, and as if to underline that point, the company said today it’s sponsoring the Linux Foundation’s new Secure Open Source Pilot Program.

The SOS program is an initiative that’s promising to reward developers financially for enhancing the security of what are deemed to be “critical open-source projects” that many organizations depend on. To get the ball rolling, Google said it will donate $1 million to fund those payouts.

In a blog post, Google Open Source Security Team leaders Meder Kydyraliev and Kim Lewandowski said the idea with SOS is to reward various improvements that proactively harden critical open-source projects and support infrastructure against application and supply chain attacks. They explain that the entire world is increasingly reliant on open-source software, and that widespread support and financial incentives are necessary to encourage developers to keep that software safe and secure.

The SOS program is part of a broader effort to address a growing truth: The world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure

A number of similar reward programs for developers already exist, but Google said the SOS has a much wider scope than previous efforts. The reward amounts are pretty hefty too, with $10,000 or more on offer to developers who come up with complex, high-impact and lasting improvements that will almost certainly prevent vulnerabilities in affected code or supporting infrastructure.

So-called moderately complex improvements that offer “compelling security benefits” will be eligible for a payout of between $5,000 and $10,000, while submissions of “modest complexity and impact” will receive $1,000 to $5,000, depending on their impact. Developers can also obtain a $505 reward for small improvements that are deemed to have merit from a security standpoint.

Kydyraliev and Lewandowski said the selection process for eligible open-source software projects will be holistic, based on guidelines established by the National Institute of Standards and Technology. The SOS will also take into account additional criteria such as the impact of the project in terms of what types of users will be affected by the security improvements, how significant the improvements are and how serious the implications would be if the project is compromised. The project’s ranking in existing open-source criticality research will also be considered.

The rewards will be paid out to developers who can implement a wide range of security improvements, including those focused on improving software supply chain security, such as hardening continuous integration and continuous development pipelines and distribution infrastructure. Improvements that lead to the adoption of software artifact signing and verification, and those that produce higher OpenSSF Scorecard results will also be rewarded, Kydyraliev and Lewandowski said.

To apply for a financial reward, developers should read the SOS FAQ page and then submit their application via this form. Google said it will pay rewards only for work completed after Oct. 1, 2021.

Upfront funding will also be provided on a case-by-case basis for the moderate and complex improvements that are deemed worthy enough, though developers will need to explain why they need the funding and also provide a detailed plan of the improvements they intend to implement.

Holger Mueller, an analyst with Constellation Research Inc., told SiliconANGLE the SOS project is a welcome initiative. He said open-source software is what powers most modern computing platforms today, beating out proprietary, in-house software development.

“It’s good to see a major cloud player like Google tackle what is widely believed to be the Achilles’ heel of the open-source ecosystem — security,” Mueller said. “Although the funding might not be enough to make entire software projects more secure, it is a major incentive for the majority of project contributors, most of whom do their work for free in their spare time. Time will tell how successful the SOS program will be.”

For now the SOS project is still a work in progress, but Google said it will continue to expand its focus to cover a wider range of security improvements and projects. For example, developers who make improvements in unforeseen areas can still submit an application for a reward as long as they can provide justification and evidence for the complexity and impact of their work.

Google also hopes other large organizations that depend on open-source software will back the SOS program and provide funding, so it can become a sustainable, long-term initiative that benefits everyone.

Image: rawpixel/Freepik