Announcing the GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone
Today, we announce the call for applicants for the GitHub Secure Open Source Fund, a program designed to financially and programmatically improve the security and sustainability of open source projects. Applications are open on a rolling basis until they close on January 7 at 11:59 PM PT.
We launched $1.25 million to invest in 125 projects, backed by the generous support of the Alfred P. Sloan Foundation, American Express, Chainguard, HeroDevs, Kraken, Mayfield Fund, Microsoft, 1Password, Shopify, Stripe, Superbloom, Vercel, Zerodha, and so on. Apart from today’s launch, we will continue to accept partners to join our mission towards funding open source security. And aside from pure financial support, the three-week program will provide maintainers with security education, training, tooling, certification, and more. For a full explanation of program eligibility and benefits, see below.
For the people who maintain much of the open source that the world relies on today, security is important but also often difficult to prioritize among all the other work required when running a popular open source project. Moreover, while new research shows Organizations invest billions of dollars in open source, cybersecurity auditing is not a point of emphasis from organizations. No one wants their open source project to be the source of security issues for the people who use it, but keeping everyone updated, dealing with security reports and issuing everything takes time to heal. And that’s always the hardest thing to find when you’re already working on the project in your free time.
Talking to maintainers, foundations and other companies like ourselves, we wanted to come up with a different way to help. For some maintainers, getting funding helps them free up time to focus on security; for others, the learned, experts, and community can help. Building on learnings from other open source funders and community-driven security practices, the GitHub Secure Open Source Fund is a first-of-its-kind cohort-based program linked to funding. The goal is to improve security for projects in a way that scales, by building a security-minded community of maintainers and funders with shared goals. The community stands to benefit from reduced security risk, visibility and insights into project security status, and consistent reporting.
We take an ecosystem approach because we believe that a dependency graph is more than connected software. These are the underlying people behind the success and sustainability of open source. We invest in security because it is essential to the global software ecosystem, and for many organizations it is essential for navigating policies such as. Strong by Design and the EU Cyber Resilience Actand for long-term sustainability.
Open source helps American Express deliver the world’s best customer experience every day by allowing our developers to innovate, collaborate, and share. The security of open source software has long been a priority for our company. We are proud to support this important program that aims to improve security in a scalable way and help support open source maintainers in the implementation of secure software.
Our commitment to the GitHub Secure Open Source Fund is consistent with our long-standing commitment to the FOSS ecosystem, from which we have benefited greatly. We see this program as an exciting win-win: getting money directly into the hands of FOSS developers, while enabling critical improvements in software security that benefit everyone.
Program eligibility and benefits
GitHub will provide security education, engagement with experts, community support, promotions, and security health reports for two years. Maintainers get hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve user confidence in down. All funds go directly to the maintainers via GitHub Sponsors. Any current maintainer of an open source project with a valid open source license and located in one of the regions supported by GitHub Sponsors can apply.
In general, participants will receive:
- Funding: $10,000 per project in funding consistent with program milestones and checkpoints,
- Education: 3-week program consisting of a 5-10 hour commitment per week with a mix of 1-to-1, tutorials, workshops, group sessions, project work, and mentoring. Projects also have focused work toward specific project security milestones agreed upon between the project, the program managers, and GitHub Security Lab.
- Check-in: 6 month and 12 month checkpoints after education
- Office hours with GitHub Security: dedicated time with GitHub Security Lab team to establish effective security policies and best practices for incident management planning and support.
- Engagement: Q&As with GitHub Sponsors, community members, and GitHub leaders.
- Skills: access to security experts from the GitHub Security Lab, Q&As with GitHub Sponsors funders, community members, and GitHub leaders.
- Tools: free access and training for related GitHub products, including tools like GitHub Copilot, Copilot Autofix, and secret scanning.
- Community: access to the new GitHub Secure Open Source community.
- Alumni support: continuous opportunities for networking and support from GitHub.
- Policy education: prepare projects to navigate policies such as Strong by Design and the EU Cyber Resilience Act.
- Certification and health reports: program Certification and bi-annual security health checks.
Understanding the state of Open Source funding in 2024
GitHub wouldn’t be GitHub without a community of developers, partners, and customers. Already, through GitHub Sponsors, we’ve seen the impact organizations can have when they invest in their open source dependencies—even if it’s in general. dependencies support, brings new ideas to life or even build full-time careers. Since the introduction of support for organizations through GitHub Sponsorsmore than 5,800 organizations, incl Microsoft and Stripesinvested in GitHub maintainers and projects, up nearly 40% YoY. In total, the platform has unlocked more than $60 million in funding for maintainers to help them spend more time working on their projects.
But we know we’re only scratching the surface when it comes to open source organizations and corporate support. This summer, we partnered with Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assess the organizations’ funding practices, potential misalignments, and opportunities for improvement. on report launched todaywe found:
- Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested in the entire open source ecosystem annually.
- 86% of the investment is in the form of labor contributions by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions.
- Organizations generally know how and where they contribute (65%) but lack specific clarity on their contributions (38%).
- Security efforts focus on bugs and maintenance; only a few (6%) say that comprehensive security audits are a priority.
We can all benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are essential to sustaining open source. Not all open source projects or maintainers have access to funding and training for security. That is why we have created a fund that can be used by everyone who can qualify. For some, receiving training, tools, coaching, and financial support can be a game changer, allowing them to invest time in improving the security of their project. We are inspired by the work of other organizations, projects, and communities that are shaping the ecosystem. In addition, ecosystem partners such as CURIOUSS, Ecosyste.ms, Laboratory for Innovation Science at Harvard, Mozilla Foundation, OpenForum Europe, OpenJS, OpenSSF, Open Source Initiative, Open Technology Fund, Open Source Collective, Sovereign Tech Agency, and Sustain OSS, and others participated and helped provide input, feedback, and ideas as we brought this idea to life.
We are excited for the GitHub Secure Open Source Fund to apply learnings from our OpenSSF community by directly engaging critical projects and developers to help improve the security posture of their software. and communities. We’ve long understood that people are the engine that drives open source, and are excited that this model builds on the research collaboration between GitHub, Harvard University, and the Linux Foundation and the OpenSSF community. We look forward to the positive impact of open source maintenance and security.
Supporting the future for 1 billion developers
This is the beginning of a journey to help find ways to secure open source. By itself, this is not the answer, but we are confident that it will help. We will monitor the impact of these investments and share what we learn as we go.
Join us to invest in and build a safer, more secure open source ecosystem. Our hope is that new programs like the GitHub Secure Open Source Fund will empower a healthier, more diverse and more secure open source ecosystem for everyone by encouraging a culture of proactive security and also help organizations demonstrate the value to their stakeholders of investing in open source security. Whether you provide financial investment, promote safe open source practices, share your expertise, or advocate for safe practices, we can all help build a stronger, stronger open source community—together.
Written by
https://github.blog/wp-content/uploads/2024/11/github-secure-open-source-fund-header.png
2024-11-19 17:00:35
