Status of Secure Open Source Rewards program
The Secure Open Source (SOS) program was established as a program to address the very long tail of open source security. The idea was simple: create financial incentives to find and fix security issues in all open source projects. After 24 months in action, the program disbursed $353,000 for 189 improvements. We are particularly grateful to all the contributors for their efforts.
Although these results were positive, they also made clear that this approach will not scale to the problem at hand; therefore the SOS program has been decommissioned because alternative approaches exist: The Linux Foundation & Google continue to support individual security work through scaled approaches through the Linux Foundation’s Alpha-Omega project and individual rewards through Google’s Patch Rewards Program.
The Patch Rewards Program has been around since 2013 and seeks to reward patches (or pull requests) that improve the security of an in-scope project. The Alpha-Omega project mission is to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. Since 2022, Alpha-Omega has disbursed over $8M in grants to improve open source security. For more information please visit the Patch Rewards Program and Alpha-Omega websites respectively.
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
OpenSSF Scorecard - Security health metrics for Open Source - ossf/scorecard
A Python-based CLI tool designed to scan GitLab projects for compliance against the CIS GitLab Benchmark. Check out the recommendations-as-code...
The Center for Internet Security (CIS) has published a series of benchmarks for Microsoft products and services
Learn why CIS Benchmarks matter, how the CIS GitLab Benchmark was created, and how to use it to properly secure your GitLab installation.
A semantic diff utility and library for tree-like files such as JSON, JSON5, XML, HTML, YAML, and CSV. - trailofbits/graphtage
CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, which is usually a manual task, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.
An easy-to-use secure configuration generator for web, database, and mail software. Simply select the software you are using and receive a configuration file that is both safe and compatible.
Evergreen guidance on password management approache.
Talkback is a smart infosec resource aggregator, designed to help security enthusiasts, practitioners and researchers be more productive.
U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect...
LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49113 - SafeBreach-Labs/CVE-2024-49113
The new Brain Cipher ransomware operation has begun targeting organizations worldwide, gaining media attention for a recent attack on Indonesia's temporary National Data Center.
The Indonesian National Data Center was hit by a significant ransomware attack with the ransomware identified as Brain Cipher, a new variant of LockBit 3.0.
Attribution of the December 2024 Rhode Island ransomware incident was linked to this group.