Vulnerabilities in an open-source product and/or its continuous development, integration and deployment infrastructure can potentially be exploited to attack any user (human, organization, and/or another product/entity) of the product. To respond to the growing threats to the safety, security, and privacy of open-source ecosystems (OSEs), NSF is launching the Safety, Security, and Privacy for Open-Source Ecosystems (Safe-OSE) program. This program solicits proposals from OSEs, including those not originally funded by NSF's Pathways to Enable Open-Source Ecosystems (POSE) program, to address significant safety, security, and/or privacy vulnerabilities, both technical (e.g., vulnerabilities in code and sidechannels) and socio-technical (e.g., supply chain, insider threats, and social engineering). Although most open-source products are software-based, it is important to note that Safe-OSE applies to any type of OSE, including those based on scientific methodologies, models, and processes; manufacturing processes and process specifications; materials formulations; programming languages and formats; hardware instruction sets; system designs or specifications; and data platforms. The goal of the Safe-OSE program is to catalyze meaningful improvements in the safety, security, and privacy of the targeted OSE that the OSE does not currently have the resources to undertake. Funds from this program should be directed toward efforts to enhance the safety, security, and privacy characteristics of the opensource product and its supply chain as well as to bolster the ecosystem's capabilities for managing current and future risks, attacks, breaches, and responses.

Proposals to this program should provide clear evidence that OSE team leaders have established a thorough understanding of the threat landscape, vulnerabilities, and/or failure modes for the open-source product(s) managed by the OSE. Proposals should describe, where appropriate, what other products depend upon the safe, secure, and privacypreserving functions of the OSE. Proposals should situate the OSE's threat landscape in the larger context of known threats and/or vulnerabilities and discuss any significant prior incidents affecting the product(s). A realistic plan for addressing risks related to safety, security, and privacy should address the threat landscape and describe how Safe-OSE funding will meaningfully improve the OSE's capabilities for addressing vulnerabilities as well as for detecting and recovering from incidents

NSF Preliminary Proposal Deadline: January 14, 2025

NSF Full Proposal Deadline: April 22, 2025

Link to FOA Here: NSF Safe-OSE funding opportunity 

PI Eligibility:  By the submission deadline, any PI, co-PI, or other Senior/Key Personnel must hold either: 

• a tenured or tenure-track position, or 
• a primary, full-time, paid appointment in a research or teaching position, or 
• a staff leadership role in an Open-Source Program Office or equivalent position
  at a U.S.-based campus of an Institution of Higher Education (see above), with exceptions granted for family or medical leave, as determined by the submitting institution.

Institutional Limit: Institutions are limited to two (2) preliminary proposals. NSF will review the preliminary proposals and provide a binding "Invite" or "Do Not Invite" response for each preliminary proposal. Invited organizations will be allowed to submit a full proposal on the project described in the preliminary proposal by the full proposal submission deadline.

Application Information:   All UD limited submission white papers must use this template found on the Research Office limited submission webpage. Applications not adhering to this requirement will be returned without review.

Merit Review Criteria: Summaries will be reviewed based on the criteria detailed in the solicitation.