ForgeFlux
/
oss-virtual-incubator
mirror of https://github.com/forgeflux-org/oss-virtual-incubator
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
oss-virtual-incubator/proposals/center-for-open-source-secu...

3.6 KiB
Raw Blame History

Title

Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security

Short description

Congress should establish a Center for Open Source Software Infrastructure and Security for 1) identifying and cataloging critical software in need of support and 2) funding critical improvements in open source software security.

Author

@epicfaace

Proposal body

Congress should create a Center for Open Source Software Infrastructure and Security within DHS that does the following:

  1. Identify and catalog critical software in need of support Congress should initiate an effort to systematically identify the most critical open source software components and develop criteria for determining the criticality and vulnerability of open source software. This effort can be coordinated with CISA, through the National Risk Management Center (NRMC), to determine the open source software components most important to the nations critical infrastructure sectors and National Critical Functions.18 This effort should also engage NIST to determine guidelines for the criticality and vulnerability of open source software, creating criteria analogous to the Common Vulnerability Scoring System (CVSS).19 The effort should result in an ongoing catalog that could be made available to other agencies as well as the public, analogous to the National Vulnerability Database (NVD) program.
  2. Congress should establish a process for funding OSS components that are determined to be both critical and in need of support, as well as improvements to the general ecosystem. Such funding could include:
  • An emergency fund that supports short-term and narrowly scoped security work, such as bug bounty programs for finding high-severity vulnerabilities or grants for fixing particularly critical vulnerabilities or hardening specific software. For example, qualifying grant proposals could be similar in nature to the Django Fellowship, which helped hire full-time developers to focus on triaging bugs and managing security releases for the open source web framework Django.23
  • A fund for non-software-related strategic initiatives or research that may improve the security health of the entire open source ecosystem. For example, this could include events to improve education around security practices in the OSS ecosystem or research initiatives to better understand how open source developers approach dependency management.

Due diligence

  1. What related work has already been done in this area?
  2. How is this proposal innovative -- what distinguishes it from other related work?
  3. Who is your doer -- who will execute the proposed work?
  4. How might this work be sustained long-term after an initial seed grant?

Resources needed

Legislative advocacy

Other links and resources

Paper published summarizing this idea: https://www.plaintextgroup.com/reports/securing-open-source-software-at-the-source