49 lines
3.6 KiB
Markdown
49 lines
3.6 KiB
Markdown
### Title
|
||
|
||
<!-- A short, pithy title for the proposal. -->
|
||
|
||
Securing Open Source Software at the Source: Creating a Center for Open Source Software Infrastructure and Security
|
||
|
||
### Short description
|
||
|
||
<!-- A short, one-sentence description of the proposal. -->
|
||
|
||
Congress should establish a Center for Open Source Software Infrastructure and Security for 1) identifying and cataloging critical software in need of support and 2) funding critical improvements in open source software security.
|
||
|
||
### Author
|
||
|
||
<!-- Put your GitHub username(s) here. The proposal author will "own" the proposal and will be able to accept future changes to it. -->
|
||
|
||
@epicfaace
|
||
|
||
### Proposal body
|
||
|
||
<!-- Explain your proposal. Add as much as you want, within reason! -->
|
||
|
||
Congress should create a Center for Open Source Software Infrastructure and Security within DHS that does the following:
|
||
1. Identify and catalog critical software in need of support
|
||
Congress should initiate an effort to systematically identify the most critical open source software components and develop criteria for determining the criticality and vulnerability of open source software. This effort can be coordinated with CISA, through the National Risk Management Center (NRMC), to determine the open source software components most important to the nation’s critical infrastructure sectors and National Critical Functions.18 This effort should also engage NIST to determine guidelines for the criticality and vulnerability of open source software, creating criteria analogous to the Common Vulnerability Scoring System (CVSS).19 The effort should result in an ongoing catalog that could be made available to other agencies as well as the public, analogous to the National Vulnerability Database (NVD) program.
|
||
2. Congress should establish a process for funding OSS components that are determined to be both critical and in need of support, as well as improvements to the general ecosystem. Such funding could include:
|
||
- An emergency fund that supports short-term and narrowly scoped security work, such as bug bounty programs for finding high-severity vulnerabilities or grants for fixing particularly critical vulnerabilities or hardening specific software. For example, qualifying grant proposals could be similar in nature to the Django Fellowship, which helped hire full-time developers to focus on triaging bugs and managing security releases for the open source web framework Django.23
|
||
- A fund for non-software-related strategic initiatives or research that may improve the security health of the entire open source ecosystem. For example, this could include events to improve education around security practices in the OSS ecosystem or research initiatives to better understand how open source developers approach dependency management.
|
||
|
||
### Due diligence
|
||
|
||
<!-- Please answer the following due diligence questions; it's okay to answer "N/A" if you don't know yet. -->
|
||
|
||
1. **What related work has already been done in this area?** <!-- Insert answer here -->
|
||
2. **How is this proposal innovative -- what distinguishes it from other related work?** <!-- -->
|
||
3. **Who is your doer -- who will execute the proposed work?** <!-- Insert answer here -->
|
||
4. **How might this work be sustained long-term after an initial seed grant?** <!-- Insert answer here -->
|
||
|
||
### Resources needed
|
||
|
||
<!-- What resources are needed (grant money, advisors, expertise, etc.) to realize this proposal? -->
|
||
|
||
Legislative advocacy
|
||
|
||
### Other links and resources
|
||
|
||
<!-- Add any other links, images, or resources that are relevant to the proposal -->
|
||
|
||
Paper published summarizing this idea: https://www.plaintextgroup.com/reports/securing-open-source-software-at-the-source |