Cyber Security

Secure Open Source Rewards program launched to help protect critical upstream software

A new program is aiming to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The Secure Open Source Rewards (SOS.dev) scheme will be broader than current bug bounty programs, according to its backers.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

Save Our Software

Secure Open Source Rewards will pick eligible projects based on the NIST definition of ‘critical software’, as well as the extent of the security improvements and the number of users who stand to benefit.

The backers will also consider the seriousness of any compromise of the project, and where the project ranks in open source criticality research, including the Harvard 2 Census Study of most-used packages, and the OpenSSF Criticality Score project rankings.

Secure Open Source Rewards are looking for supply chain security improvements, improvement that give higher OpenSSF Criticality Scorecard results, adopt software artifact signing and verification, and other best practise measures.

Other improvements will be added to the aims as SOS.dev evolves.

Million-dollar funding

The Secure Open Source Rewards scheme differs from conventional bug bounty programs as it covers security improvements by project developers rather than just vulnerabilities.

It will also offer a limited amount of upfront funding for projects looking to make longer-term security improvements.

The initiative comes as organizations move to upgrade security for critical infrastructure and applications. More attention is being focused on software supply chains, including the role of vital open source components across the ecosystem.

“A lot of commercial and open source solutions, including those used by CNI, operate critical infrastructure relying on open source libraries including OpenSSL and Log4j, of which we have seen repeated attacks in the past,” Steven Sim, president of the ISACA Singapore chapter and chair of the OT-ISAC executive committee, told The Daily Swig.

“If we don’t do anything right now about these Achilles’ heels, we will continue to see massive breaches as a result of software supply chain attacks.”

Andrew Martin, CEO at ControlPlane and CISO at OpenUK, added: “Supply chain security starts with the initial contributor and the security of their coding practices, computing environment, and build systems.

“Organizations need to be aware of all the components in development and production systems, including open source.

Advertisement. Scroll to continue reading.

“The Linux Foundation’s OpenSSF and CNCF TAG Security groups are focused on critical and cloud native software respectively, and SOS.dev occupies a more developer-focused space, and is additionally supported by Google GOSST team.

“The latter is also supporting the Kubernetes-based kCTF Vulnerability Rewards Program (VRP), which looks to pay researchers for escaping containers and attacking the Linux Kernel.

“These initiatives are seeing dramatically increasing payouts commensurate with the level of skill required to escape these sandboxes and applications, and together are shining a light of the risk of untrusted third-party code making its way past the scrutiny of vulnerability researchers.”

SOS.dev is run by the Linux Foundation with sponsorship from the Google Open Source Security Team, with $1 million of initial funding.

Source: https://portswigger.net/daily-swig/secu

Click to comment

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version