Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and
sponsored by the Google Open Source Security Team.
The page mentions that patches for issues discovered by OSS-Fuzz may be
eligible for rewards. This seems like it could be a good incentive for
fixing fuzzer bugs.
A couple notes:
* The program also rewards contributions besides fuzzer-bug fixes.
Check out the page for full details.
* It seems that QEMU would qualify for this program. The page mentions
that the project should have a greater than 0.6 OpenSSF Criticality
Score [2]. This score factors in statistics collected from github
(sic!). QEMU's score is currently 0.81078
* Not limited to individual contributors. Vendors can also qualify for
rewards.
* Work completed before Oct 1, 2021 does not qualify.
* Individuals in some sanctioned countries are not eligible.
* The process seems to be:
1. Send a fix upstream
2. Get it accepted
3. Fill out a form to apply for a reward
Any thoughts about this? Should this be something we document/advertise
somewhere, so developers are aware of this opportunity?
[1] https://sos.dev/
[2] https://github.com/ossf/criticality_score
-Alex
