Subhra Kar discusses how CommunityBridge will provide smaller open source developers with resources usually restricted to the big guns

Last month, the Linux Foundation unveiled CommunityBridge, a new platform that aims to give developers the resources they need to make open source technologies more secure and sustainable.

The community platform has been launched with three tools: CommunityBridge Funding, which enables developers to raise funds for open source projects; CommunityBridge Security, to provide transparency into potential vulnerabilities through a security scanning and bug bounty service; and CommunityBridge People, which aims to connect open source developers with mentors.

Importantly, there is no cost for maintainers and developers to access and use the CommunityBridge platform. As an incentive for projects to get involved in the early access program, The Linux Foundation is absorbing the cost of any platform and payment processor fees for the first $10 million spent.

“While large open source projects are often well resourced, many smaller projects require more funds, talent, security, diversity, and resources to thrive,” said Jim Zemlin, executive director of the Linux Foundation.

“CommunityBridge is the platform to solve critical challenges and fuel open source innovation and sustainability by empowering people – all in one place.”

The foundation, which celebrates 20 years of supporting open source communities next year, plans to further build CommunityBridge over time so that it provides a full suite of tools to serve open source developers and ecosystems.

With the platform already starting to take shape, The Daily Swig caught up with Shubhra Kar, vice president of products, engineering, and operations at the Linux Foundation, to find out more about the initiative.

What were the primary drivers behind the creation of the CommunityBridge platform?

Shubhra Kar: Open source powers more than 80% of the technology we all use every day, yet many of the world’s most critical developers and open source projects face barriers to growing and sustaining their communities, ranging from challenges with generating funding, to improving security, to advancing developers’ ability to further excel and contribute.

The Linux Foundation developed CommunityBridge to ensure open source developers and their communities have the resources needed to secure and maintain their code, grow their communities, and advance critical open source technologies.

The Linux Kernel Mentorship Program, which includes both full-time and part-time volunteer mentee positions, will run through the CommunityBridge platform. We believe the new CommunityBridge People mentorship program will greatly support the growth of Linux and many other open source projects.

Can you provide any information relating to the CommunityBridge Security ‘scanning service’? How easy is it for developers/maintainers to use this service and check their code for flaws?

SK: If your project is set up on CommunityBridge Funding, then CommunityBridge Security automatically scans your code on a daily basis, adding any detected vulnerabilities to your project dashboards.

Issues (vulnerability defects) are classified as high, medium, or low risk based on CVSS scores determined by factors such as attack vector, attack complexity, user interaction, privileges, required, scope, confidentiality, integrity, and availability. CVEs and CWEs in the National Vulnerability Database (NVD) associated with these issues are also displayed.

To provide real-world validation of the vulnerability defects caught, the scanning service also references associated bugs reported by hackers using the HackerOne platform or related GitHub issues that developers in the community identified based on their testing.

Project maintainers can leverage this data to quickly replicate the issue in their deployment environment and address them before they make it all the way to production.

Your code is only as strong as the weakest link in the chain. The service provides a comprehensive inventory of your project’s detected upstream dependencies and plots it into an application dependency tree.

Vulnerabilities detected in the project’s upstream dependencies are also captured and made available to the project to provide actionable data to maintainers, whereby they could switch to more secure upstream libraries/projects; or ask the maintainers of the upstream projects to fix the vulnerability defects – creating a more secure ecosystem.

The security scanning service also provides defect remediation guidance. A maintainer could act on this guidance by upgrading to a higher version of an upstream library that has already fixed the defect identified, or submitting a patch that a fellow community developer has come up with as a potential code fix. Maintainers have the option to utilize the remedy suggested after proper validation in their code base.

For CommunityBridge Security we partnered with Snyk to provide daily vulnerability scanning for all projects on CommunityBridge. Additionally, CommunityBridge Security uses Snyk to scan a project’s repository and identify dependencies’ licenses, with reference to the SPDX license list.

License identification strategies vary by ecosystem, but generally work via a combination of the stated license on the package, retrieving metadata from the registry, and detecting license information in manifest files.

Could you talk us through the bug bounty element of the platform?

SK: Projects can choose to allocate funds raised through the CommunityBridge Funding service to administer bug bounty programs through a partnership with HackerOne.

Coordinated vulnerability disclosure (CVD) and bug bounties are proven to improve code for both OSS and proprietary projects, but setting them up can be time-intensive and complex.

By partnering with HackerOne, the Linux Foundation, through CommunityBridge, is seeking to eliminate that overhead and enable more developers to take advantage of this effective mechanism for improving their code.

The bug bounty program is set up and managed by the CommunityBridge team on behalf of each project through a shared program management service at a considerably lower cost versus a standalone model.

Bounty amounts, defect categories, severities, vulnerability disclosure policies for project maintainers, et al, are set up by working with the project leaders/maintainers.

High level summary information about the bugs captured and bounties paid out are displayed in the funding platform for everyone interested in the project to view. However, detailed bug information is disclosed only to the maintainers of the projects.

You note that there is no cost for maintainers and developers to access and use the CommunityBridge platform. If this initiative is successful, how do you plan to continue the project if, and when, the initial $10 million budget has been used?

SK: CommunityBridge is designed to serve developers and maintainers. No fees of any kind will be charged for the first USD$10 million raised through CommunityBridge; the Linux Foundation will underwrite the platform fees and even third-party payment processor fees for these donations.

Every dollar of the first $10 million raised will be available to the projects hosted on CommunityBridge for their use. Once the $10 million milestone has been reached, contributions from individual and corporate donors will be subject to a 5% platform fee plus applicable third-party payment processor fees.

Additionally we are also reaching out to our member community, which includes large enterprises to donate to the platform helping us underwrite more of these costs beyond the first wave of $10 million.

Many large enterprises are hugely dependent on the critical open source projects we aim to host on CommunityBridge and have shown willingness to sponsor this initiative.

We have received requests from developers who want to collaborate on developing this platform. We anticipate making available the CommunityBridge platform code as an open source project itself, and will invite contributors to join the effort as soon as we are ready.

Founded in 2000, the Linux Foundation is focused on collaboration in open source software, open standards, open data, and open hardware. Supported by more than 1,000 members, the foundation’s projects are critical to the world’s digital infrastructure, including Linux, Kubernetes, Node.js, and more.

RELATED Can we turn security into an enabler? Only if developers and researchers work together