New GitHub fund aims to improve open-source security

20 Nov 2024

Image: © Maryna Lytkina/Stock.adobe.com

According to GitHub, only 6pc of organisations investing in open source prioritise comprehensive security audits.

Code-hosting platform GitHub has launched a $1.25m funding program aimed at supporting 125 open-source projects.

In an announcement yesterday (19 November), the platform said that the GitHub Secure Open Source Fund – a “first-of-its-kind, cohort-based program” – aims to “improve security and sustainability of open-source projects” through monetary support and an educational program.

Each successful project, consisting of a maximum of three participants, will receive $10,000, and a three-week certification program that will include weekly instruction, one-to-one support, workshops, project work and access to tools including GitHub Copilot and Autofix.

Microsoft-owned Github allows developers to collaborate on open-source codes, so that other developers can contribute to code that is not their own – while allowing the owner of the code the ability to accept or reject changes made by other members of the developer community.

An estimated $7.7bn is invested into open source annually, said GitHub, adding that it has seen the impact organisations have when investing in their open-source dependencies.

“We all stand to benefit from unlocking more funding for open source,” said the platform.

However, the organisation found that security audits are not a priority for organisations investing in open source, with 94pc of security efforts focusing only on bugs and maintenance.

Dealing with security reports and fixing issues takes time, the organisation said, who spoke to developers and found that funding would allow some developers time to focus on improving security while providing others the opportunity to learn.

“By tackling problems like open-source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source,” the platform said.

The fund is backed by American Express, Microsoft, Shopify and Stripe, among others, and GitHub is open to accepting more partners, it said in the announcement.

Applications for the program are open and will be reviewed on a rolling basis until 7 January next year.

In 2022, following supply chain attacks on its platform, GitHub introduced a new strategy to boost the security of its open-source projects. Now, the platform uses code signing for its npm software packages using the platform Sigstore.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Suhasini Srinivasaragavan is a sci-tech reporter for Silicon Republic

editorial@siliconrepublic.com