To help remedy this, David A. Wheeler, the LF's director of Open Source Supply Chain Security, recently revealed the LF or its related foundations and projects directly fund people to do security work. Here's how it works.
The proposal is then examined by the appropriate LF technical review point of contact (POC). This POC is often Wheeler himself.
Once your project is approved, progress reports are made approximately once a month. These must include:
A stable URL of a publicly accessible post (e.g., a blog or archived mailing list post) describing what you did that month.
The post must briefly describe what has been accomplished using the funding since the last invoice. Include its date and hyperlinks to details. If git commits were involved, include hyperlinks to them. Make it easy for technical people to learn details (e.g., via hyperlinks).
Also briefly describe why this work is important or link to such description(s), for someone who is not intimately familiar with it. Some readers may see your post out of context.
Give credit, similar to National Public Radio. (e.g., "This work to <X> was [partially] funded by the OpenSSF, Google, and The Linux Foundation.") Thanking others is always polite. We also want people to consider funding OSS security as normal.
Publicly provide an identifier (a personal name, pseudonym, or project name) of who's doing the work. This simplifies referring to the work. You do not need to reveal your personal name(s) publicly, though you're welcome to do so.
This is a lightweight process. It shouldn't take more than 20 minutes to write these reports. You may find it easier to write your post while you do the work. Funded work must be available under the appropriate open-source licenses. For example, bug fixes to Linux must be licensed under the Gnu General Public Licenses Version 2 (GPLv2).
The POC will then review the post, and if it seems reasonable, approve the payment. Wheeler explained: "We understand that sometimes problems arise. We just want to see credible efforts. If there's a serious roadblock, try to suggest ways to overcome it or provide partial/incremental benefits. We need to provide confidence to funders that we aren't wasting their money."
So, what kind of projects are we walking about? Wheeler cites several examples. These include:
Ariadne Conill, the Alpine Linux security team chair, is improving this important container Linux distro's security. In particular, Conill has improved its vulnerability processing and made it reproducible. For example, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time.
It's not just Linux-related programs that get security help. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, has received funding to secure OpenSSH's plumbing. OpenSSH is an important suite of secure Secure Shell (ssh)networking utilities based on the protocol. De Raadt has also been funded to help secure Resource Public Key Infrastructure (RPKI), which protects internet routing protocols from attack.
If you'd like to help pay for this kind of work, the LF wants to hear from you. You can contribute to the OpenSSF by just contacting the organization, Or, if you'd rather, you can create a grant directly with the Linux Foundation itself. If you have questions just email Wheeler at firstname.lastname@example.org. For smaller amounts -- say, to fund a specific project -- you can also use the LFX crowdfunding tools to fund or request funding.
Having trouble with the business side of funding security coding and audits? You're not alone. As Wheeler said: "Many people and organizations struggle to pay individual open-source software developers because of the need to handle taxes and oversight. If that's your concern, talk to us. The LF has experience and processes to do all that, letting experts focus on getting the work done."