Safety, Security, and Privacy of Open-Source Ecosystems

The Safety, Security, and Privacy of Open-Source Ecosystems program is a National Science Foundation program solicitation issued as NSF 24-608 by the Directorate for Computer and Information Science and Engineering, Directorate for STEM Education, and Directorate for Technology, Innovation and Partnerships. The solicitation is archived, but it states recurring annual due dates. NSF is an independent federal agency that supports research and education across science and engineering fields through grants and cooperative agreements. This program responds to growing safety, security, and privacy threats affecting open-source ecosystems and their users. The program supports mature, impactful open-source ecosystems that need resources to address significant technical or socio-technical vulnerabilities. Eligible ecosystems may be software-based or may involve scientific methodologies, models and processes, manufacturing processes, materials formulations, programming languages and formats, hardware instruction sets, system designs or specifications, or data platforms. NSF emphasizes that the goal is not fundamental research or routine bug fixing, but meaningful improvement in the safety, security, and privacy stance of an existing ecosystem and its supply chain. Funds may be used for strategies, methods, actions, resiliency work, development plans, evaluation activities, and related work that improve the open-source product and the ecosystem's ability to manage current and future risks, attacks, breaches, and responses. Proposals should show that the ecosystem has a robust community of contributors, a substantial user base, a managing organization, and infrastructure needed to keep the ecosystem running. Proposals must describe the threat landscape, vulnerabilities or failure modes, prior incidents where applicable, dependent products, national, societal, or economic impacts, development milestones, and evaluation plans. Awards are anticipated as cooperative agreements. NSF estimated 10 awards and total program funding of $15,000,000. Each award is for 24 months with a total budget up to $1,500,000. The Year 1 budget may be up to $500,000, and Year 2 may be up to $1,000,000, subject to successful progress evaluation and availability of funds. Inclusion of voluntary committed cost sharing is prohibited. Indirect cost limitations and other budgetary limitations are listed as not applicable, though the solicitation includes detailed budget justification rules and states that organizations without a negotiated indirect cost rate agreement may elect to use a de minimis rate of up to 15 percent of modified total direct costs. Eligible applicants include U.S.-located nonprofit non-academic organizations directly associated with educational or research activities, U.S.-based for-profit organizations including small businesses with strong scientific or engineering research or education capabilities, state and local governments, federally recognized Tribal Nations, and accredited two-year and four-year institutions of higher education with a U.S. campus. For institutions of higher education, PIs, co-PIs, and senior or key personnel must hold an eligible U.S.-based appointment by the deadline. For other eligible organizations, the PI must be an employee normally resident in the United States. Nonprofit and for-profit proposing organizations must also satisfy U.S.-based, U.S.-owned, and U.S.-controlled requirements. The PI and employees receiving Safe-OSE funding must have a legal right to work in the United States. Preliminary proposals are required and must be submitted through Research.gov. Preliminary proposals include a cover sheet, project summary, project description of up to five pages, references cited, and three to five letters of collaboration from end-user organizations or users with working knowledge of the open-source product and vulnerabilities. NSF reviews preliminary proposals and issues binding Invite or Do Not Invite responses. Invited organizations may submit a full proposal through Research.gov or Grants.gov, although the solicitation says proposers should submit via Research.gov. Full proposals must follow NSF PAPPG or NSF Grants.gov Application Guide requirements and solicitation-specific instructions, including a title beginning with "NSF Safe-OSE:", required keywords in the project summary, a project description of up to 15 pages, budget documentation, a data management and sharing plan, mentoring plan if applicable, letters of collaboration, and a project personnel, collaborators, and partner organizations list. Preliminary proposals are evaluated for the societal or national importance of the targeted ecosystem, description of the vulnerability landscape, evidence of developer community and user base, plans for addressing critical vulnerabilities, team expertise, whether NSF funding is catalytic, and third-party letters. Full proposals are evaluated under NSF intellectual merit and broader impacts criteria plus solicitation-specific criteria including vulnerability landscape, community and user base, build and test infrastructure, quality control and security procedures, milestones, evaluation plan, team expertise, catalytic need, and letters. The preliminary proposal deadline was January 14, 2025, with the second Tuesday in January annually thereafter. The full proposal deadline was April 22, 2025, with the fourth Tuesday in April annually thereafter. General program inquiries go to safeose@nsf.gov or 703-292-7529.