Raise $50,000 for CNCF Diversity Scholarships, win prizes, and improve project security
We’re excited to announce our first Security Slam, an event in partnership with Sonatype, where maintainers and contributors will collaborate to improve project security, while winning prizes and raising up to $50,000 in Diversity Scholarships funded by Google.
This virtual event leading up to KubeCon + CloudNativeCon 2022 will use CNCF’s CLOMonitor to keep score. Each project that reaches 100% Security status will win prizes for maintainers and contributors. A donation of $2,500 will also be made in their name to CNCF’s Diversity Scholarship Fund, but it’s not just about the prizes, as each project that reaches 100% Security will have significantly improved their project’s security and be closer to CNCF’s overall security goals.
Google is donating up to $50,000, and we hope to make this the largest donation ever for our Diversity Scholarships!
We need YOU to sign-up your project to participate. Just fill out this form, sooner the better to ensure enough time for contributors to help get your project’s security score to 100%. Kubernetes has already signed up, but we need to get 20 projects reaching 100% Security to get the full $50,000 donation to our Diversity Scholarship Fund!
To our beloved contributors, and future first-time contributors, we need you too! Sign up to participate, join our #security-slam channel in the CNCF slack, and help us get our projects to 100%. We’ll teach you about best practices as you learn to contribute security practices to your favorite open source projects.
You can also win Linux Foundation training classes and CNCF store gift cards, which will be awarded to:
The maintainer who contributes the most to helping their project reach 100% Security
The top contributor for each project that reaches 100% Security
The top first-time contributor for each project that reaches 100% Security
Additionally, the top overall participant will receive a travel scholarship (airfare+hotel) to next year’s KubeCon, compliments of Open Source Travel Fund by Community Classroom.
Learn more at https://community.cncf.io/cloud-native-security-slam/
Maintainers, sign-up your project now.
Contributors (and participating maintainers), register here to get started.
We’ll be sending out emails during the event and posting in #security-slam CNCF slack channel for tips and strategies for how to get projects to 100% Security score in CLOmonitor. Join the Slack channel today to join in the conversation.
We look forward to your participation to help improve CNCF projects security, and raise money for our Diversity Scholarship Fund!
Jeffrey Sica (@jeefy)
Developer Experience / Projects, CNCF
It doesn't seem that TAG-Security was part of the process of forming these recommendations. A lot of the recommendations listed seem to be without security value (e.g., enabling google analytics). Where did these guidelines come from and why?
For those who want to secure their project, the OpenSSF Best Practices seems to be a much more reasonable set of recommendations.
Is this a marketing email that is disguised as security recommendations? If it is marketing, it should be much more clearly labeled as such.
This is an experiment help with CNCF project onboarding tasks (that some projects are slow on) and security practices recommended by https://sos.dev/#what-security-improvements-qualify and OpenSSF. We'd love to have the Security TAG involved next time around if this experiment is successful, we just tried to get something new at kubecon that wasn't just a "bug bash"
Thanks for understanding.
On Mon, Oct 10, 2022 at 12:55 PM Justin Cappos <jcappos@...> wrote:
Chris Aniszczyk (@cra)
The intent to do something engaging and different is not lost. This is cool. It's just that security is a small fraction of what CLOMonitor weighs. The bulk of the score is docs, licenses, and having slack and GitHub discussions set up. Then the list of actual security items is nowhere as exhaustive or rigorous as the CII Best Practices Badges.
Perhaps a slight reframing from "attaining 100% security" or "The Security Slam" to "Security Onboarding Slam" helps? Earning the score is not the finish line but just the start. My suggestion here is to add extra one or two words to the signup and learn more pages. We simply want to be careful to not sent a message of a project is done in terms of security once they get a 100% on CLOMonitor.
On Mon, Oct 10, 2022 at 11:16 AM Chris Aniszczyk <caniszczyk@...> wrote: