Below is a summary assembled by the Research & Innovation Office (RIO). Please see the full solicitation for complete information about the funding opportunity.

Program Summary听

Vulnerabilities in an open-source product and/or its continuous development, integration and deployment infrastructure can potentially be exploited to attack any user (human, organization, and/or another product/entity) of the product. To respond to the growing threats to the safety, security, and privacy of open-source ecosystems (OSEs), NSF is launching the Safety, Security, and Privacy for Open-Source Ecosystems (Safe-OSE) program. This program solicits proposals from OSEs, including those not originally funded by program, to address significant safety, security, and/or privacy vulnerabilities, both technical (e.g., vulnerabilities in code and side-channels) and socio-technical (e.g., supply chain, insider threats, and social engineering).

Although most open-source products are software-based, it is important to note that Safe-OSE applies to any type of OSE, including those based on scientific methodologies, models, and processes; manufacturing processes and process specifications; materials formulations; programming languages and formats; hardware instruction sets; system designs or specifications; and data platforms. The goal of the Safe-OSE program is to catalyze meaningful improvements in the safety, security, and privacy of the targeted OSE that the OSE does not currently have the resources to undertake. Funds from this program should be directed toward efforts to enhance the safety, security, and privacy characteristics of the open-source product and its supply chain as well as to bolster the ecosystem's capabilities for managing current and future risks, attacks, breaches, and responses.

Deadlines

CU Internal Deadline: 11:59pm MST November 11, 2024

Sponsor Preliminary Proposal Deadline: 5:00pm MST January 14, 2025

Sponsor Full Proposal Deadline: 5:00pm MST April 22, 2025

Internal Application Requirements (all in PDF format)

  • Project Description (3 pages maximum): Please address the following: 1) Describe the current status of the targeted OSE and provide pointers to the OSE managing organization and the public repositories for the open-source product. As the PAPPG does not permit URLs in the Project Description, use the References Cited section of the proposal to identify the appropriate resources. 2) Describe the national/societal/economic impacts of the OSE. 3) Articulate the targeted classes of safety, security, and/or privacy vulnerabilities to be addressed and the broader impacts of addressing them. Discuss, as appropriate, the potential attacks that could take advantage of these vulnerabilities. 4) Briefly describe a development plan to address these vulnerabilities. 5) Briefly describe an evaluation plan to assess the efficacy of the work. 6) Provide information to substantiate compliance with the eligibility requirements.
  • PI Curriculum Vitae
  • Budget Overview (1 page maximum): A basic budget outlining project costs is sufficient; detailed OCG budgets are not required.

To access the online application, visit:

Limited Submission Guidelines

Up to two (2) preliminary proposals per lead organization are allowed. NSF will review the preliminary proposals and provide a binding "Invite" or "Do Not Invite" response for each preliminary proposal. Invited organizations will be allowed to submit a full proposal on the project described in the preliminary proposal by the full proposal submission deadline.

Award Information

  • Year 1: up to $500K; Year 2: up to $1M
  • Anticipated Number of Awards: 10
  • Award Duration: 2 years

Review Criteria

Preliminary proposals will be evaluated on the basis of the following solicitation-specific review criteria:

  1. Does the preliminary proposal present a convincing case that the targeted OSE addresses an issue of significant societal or national importance?
  2. Does the preliminary proposal clearly describe the vulnerability landscape for the OSE and its product(s)?
  3. Does the preliminary proposal provide convincing evidence of a robust community of developers and that a substantial user base exists?
  4. Does the preliminary proposal present clear plans for addressing critical vulnerabilities?
  5. Does the proposing team have the required expertise and experience to undertake the activities described in the preliminary proposal?
  6. Will NSF support serve as the critical catalyst for addressing the identified vulnerabilities (i.e., are there other sources of support that the OSE should be using instead of or in addition to NSF funding)?
  7. Does the preliminary proposal include third-party letters of collaboration attesting to the importance of the vulnerabilities to be addressed from the perspective of users?