Google has launched the Secure Open Source — SOS — pilot program, seeding $1 million to the Linux Foundation to offer incentives as high as $10,000 for developers to write more secure code for open-source projects.
In a blog post, Google said it will consider the guidelines established by the National Institute of Standards and Technology’s definition in response to the recent Biden administration executive order on cybersecurity, along with the following criteria:
The project’s impact:
- How many and what types of users will be affected by the security improvements?
- Will the improvements have a significant impact on infrastructure and user security?
- If the project were compromised, how serious or wide-reaching would the implications be?
The project’s rankings in existing open source criticality research:
- Is the project included in the Harvard 2 Census Study of most-used packages? Or does it have a score of 0.6 or above in the OpenSSF Critically Score project?
Google understands that incentivizing secure development for open source has potential massive benefits for the entire ecosystem, said Archie Agarwal, founder and CEO at ThreatModeler.
“In recent times, far too often breaches have occurred because of vulnerabilities in these underlying open-source code libraries,” Agarwal said. “It’s heartening to see Google aiming straight for the heart of the problem by funding the SOS program. I sincerely hope this $1 million investment is only the beginning and the success of the project drives larger contributions from Google, encouraging other organizations to do likewise.”
Open-source likes to claim that any vulnerability gets found and fixed quickly because of the diversity of the distributed development team, said Saryu Nayyar, CEO at Gurucul. While it’s true in some cases, it’s probably not in others, depending on the project, Nayyar said.
“So Google’s SOS pilot program is an interesting way of hardening up open-source software, by paying grants to projects for more secure software,” Nayyar said. “While it’s not clear that many open-source projects are motivated by financial rewards, it’s an intriguing way of encouraging better software in the overall software supply chain.”
John Bambenek, principal threat hunter at Netenrich, said the consequence of open-source software becoming critical components of so many applications is that often there’s no effective product security team that can help drive security updates — or routine security enhancements.
“Google and other companies that rely on these projects can step into the gap by incentivizing developers to help create better code or letting their staff contribute enhancements during their corporate work time,” Bambenek said. “It’s a win-win for everyone involved.”
Doug Britton, CEO of Haystack Solutions, wonders if the industry can rely on these altruistic efforts to ensure the stability of our digital infrastructure. Britton said if economic incentives power protection, there are also economic incentives powering bad actors. So Briton poses the question: If a researcher gets offered $10,000 for the discovery and patch of a high impact vulnerability, what competing incentives do malicious hacking groups offer?
“In any case, this is a positive effort and we hope it’s further supported by other top firms,” Britton said. “We believe in a strong cybersec community and encourage Google to also continue to invest in the pipeline of talent in the cybersecurity marketplace.”