Safety, Security, and Privacy of Open-Source Ecosystems

vulnerabilities in an open-source product and/or its continuous development, integration and deployment infrastructure can potentially be exploited to attack any user (human, organization, and/or another product/entity) of the product. to respond to the growing threats to the safety, security, and privacy of open-source ecosystems (oses), nsf is launching thesafety, security, and privacy for open-source ecosystems(safe-ose) program. this program solicits proposals from oses, including those not originally funded bynsf’s pathways to enable open-source ecosystems (pose)program, to address significant safety, security, and/or privacy vulnerabilities, both technical (e.g., vulnerabilities in code and side-channels) and socio-technical (e.g., supply chain, insider threats). although most open-source products are software-based, it is important to note that safe-ose applies to any type of ose, including those based on scientific methodologies, models, and processes; manufacturing processes and process specifications; materials formulations; programming languages and formats; hardware instruction sets; system designs or specifications; and data platforms. the goal of the safe-ose program is to catalyze meaningful improvements in the safety, security, and privacy of the targeted ose that the ose does not currently have the resources to undertake. funds from this program should be directed toward efforts to enhance the safety, security, and privacy characteristics of the open-source product and its supply chain as well as to bolster the ecosystem’s capabilities for managing current and future risks, attacks, breaches, and responses.