Google pledges $1 million to secure open source software
Developers can earn anything from $500 to more than $10,000 for their security work
Google has pledged $1 million in funding to a new open-source security project hosted by the Linux Foundation.
Dubbed the Secure Open Source (SOS) Rewards programme, the pilot project aims to improve the security of critical open-source apps by offering eligible developers financial rewards of $10,000 or more for their security-related work.
"SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks," Meder Kydyraliev and Kim Lewandowski of Google's Open Source Security Team said in a blog post.
"To complement existing programs that reward vulnerability management, SOS's scope is comparatively wider in the type of work it rewards, in order to support project developers."
Google's Open Source Security Team is starting with a $1 million investment, and plans to expand the programme's scope based on community feedback.
SOS rewards start from $505 for 'small improvements that nevertheless have merit from a security standpoint'. Rewards of $1,000 - $5,000 are available for solutions that display 'modest complexity and impact', while developers can pick up $5,000 - $10,000 for 'moderately complex improvements that offer compelling security benefits'.
Google is offering more than $10,000 for complex, high-impact improvements that prevent major bugs in the affected code or supporting infrastructure.
SOS won't apply to all open source applications. The criteria for eligibility will be based on guidelines established by the National Institute of Standards and Technology. The Linux Foundation said it would consider the impact of the project, how significant the security improvements are and what types of users would be affected by the improvements.
SOS will also consider the project's rankings in the Harvard 2 Census Study of most-used packages.
Google's latest investment is part of its recently-announced $10 billion pledge to cybersecurity defence, following a meeting with President Joe Biden in August.
The meeting was held to discuss how the public and private sectors can work together to improve the USA's critical infrastructure and supply chain cyber security.
The President appealed to business leaders to "raise the bar on cybersecurity," and take further steps to tackle the growing threat of cyber attacks to the US economy.
Google said it would invest more than $10 billion over five years to bolster cyber security. The company also committed to train 100,000 Americans in fields such as data analytics and IT support, and to provide training in digital skills, from basic to advanced, over the next two years for more than 10 million Americans.
Last month, Google also revealed its backing for the Open Source Technology Improvement Fund (OSTIF), to sponsor security reviews to projects that are vital to the open source ecosystem.