NSF 24-608: Safety, Security, and Privacy of Open-Source Ecosystems (Safe-OSE)

Limit: 2 // Available: 0 

Soheil Salehi (Electrical and Computer Engineering) 
Micheal Wu (Electrical and Computer Engineering)

Vulnerabilities in an open-source product (software and non-software) and/or its continuous development, maintenance, integration, and deployment infrastructure can potentially be exploited to attack any user (human, organization, and/or another product/entity) of the product and/or its derivations. To respond quickly to the growing threats to the safety, security, and privacy of OSEs, NSF is launching the Safety, Security, and Privacy of Open-source Ecosystems (Safe-OSE) program.

This program seeks to fund impactful, mature open-source ecosystems to address important classes of safety, security, and privacy vulnerabilities. In this context, mature signifies that the ecosystem in question has already established a robust community of contributors, an extensive group of users, a managing organization that steers the development of the product, and the essential infrastructure needed to keep the ecosystem running.

This program grows out of the Pathways to Enable Open-Source Ecosystems (POSE) program which supports new managing organizations to catalyze distributed, community-driven development and growth of new OSEs to address the discerned need to address safety, security, and privacy vulnerabilities in impactful OSEs.

Unlike NSF's Dear Colleague Letter inviting proposals related to open-source software security (NSF 23-149), which focuses on fundamental cybersecurity research, the Safe-OSE program solicits proposals from OSEs, including those not originally funded by POSE, to address safety, security, and/or privacy vulnerabilities proactively in existing, mature OSEs. These vulnerabilities can be technical (e.g., vulnerabilities in code, side-channels potentially disclosing sensitive information) and/or socio-technical (e.g., supply chain issues, insider threats, biases, and social engineering), as long as they are deemed significant in the context of the OSE. The goal of the Safe-OSE program is to catalyze meaningful improvements in the safety, security, and privacy of the targeted OSE that the managing organization does not currently have the resources to undertake. The program especially focuses on efforts in which enhancing the safety, security, and privacy of the OSE will lead to demonstrable improvement in its positive societal and economic impacts.

Proposals to this program should provide clear evidence that OSE team leaders have established a thorough understanding of the threat landscape, vulnerabilities, and/or failure modes for the open-source product(s) managed by the OSE. Proposals should describe, where appropriate, what other products depend upon the safe, secure, and privacy-preserving functions of the OSE. Proposals should situate the OSE's threat landscape in the larger context of known threats and/or vulnerabilities and discuss any significant prior incidents affecting the product(s). A realistic plan for addressing risks related to safety, security, and privacy should address the threat landscape and describe how Safe-OSE funding will meaningfully improve the OSE's capabilities for addressing vulnerabilities as well as for detecting and recovering from incidents.

Funds from this program should not be directed toward fundamental research or at readily resolvable, known bugs/issues, but rather toward strategies, methods, and actions that will fundamentally improve the open-source product's safety, security, and privacy stance. Funds from this program can also be directed at efforts to bolster the OSE's resiliency for recovering from future incidents. Thus, the proposal should articulate how Safe-OSE funding will improve the broader national, societal, and/or economic impacts of the OSE by hardening it against adverse events over the long term.

Who May Submit Proposals:

Proposals may only be submitted by the following:

• Non-profit, non-academic organizations: Independent museums, observatories, research laboratories, professional societies and similar organizations located in the U.S. that are directly associated with educational or research activities.
• For-profit organizations: U.S.-based commercial organizations, including small businesses, with strong capabilities in scientific or engineering research or education and a passion for innovation.
• State and Local Governments
• Tribal Nations: An American Indian or Alaska Native tribe, band, nation, pueblo, village, or community that the Secretary of the Interior acknowledges as a federally recognized tribe pursuant to the Federally Recognized Indian Tribe List Act of 1994, 25 U.S.C. §§ 5130-5131.
• Institutions of Higher Education (IHEs) - Two- and four-year IHEs (including community colleges) accredited in, and having a campus located in the US, acting on behalf of their faculty members.

Who May Serve as PI:

For Institutions of Higher Education:

By the submission deadline, any PI, co-PI, or other Senior/Key Personnel must hold either:

• a tenured or tenure-track position, or
• a primary, full-time, paid appointment in a research or teaching position, or
• a staff leadership role in an Open-Source Program Office or equivalent position

at a U.S.-based campus of an Institution of Higher Education (see above), with exceptions granted for family or medical leave, as determined by the submitting institution.

Individuals with primary appointments at overseas branch campuses of U.S. institutions of higher education are not eligible. Researchers from foreign academic institutions who contribute essential expertise to the project may participate as Senior/Key Personnel or collaborators but may not receive NSF support.

For all other eligible proposing organizations:

The PI must be an employee of the proposing organization who is normally resident in the US and must be acting as an employee of the proposing organization while performing PI responsibilities. The PI may perform the PI responsibilities while temporarily out of the U.S.

Individuals with primary appointments at non-U.S. based non-profit or non-U.S. based for-profit organizations are not eligible.

Limit on Number of Proposals per Organization: 2

Up to two (2) preliminary proposals per lead organization are allowed. NSF will review the preliminary proposals and provide a binding "Invite" or "Do Not Invite" response for each preliminary proposal. Invited organizations will be allowed to submit a full proposal on the project described in the preliminary proposal by the full proposal submission deadline.

Limit on Number of Proposals per PI or co-PI:

There are no restrictions or limits.