A new Mozilla fund, called Secure Open Source, aims to provide security audits of open source code, following the discovery of critical security bugs like Heartbleed and Shellshock in key pieces of software.
Mozilla has set up an initial fund of $500,000 that will be used to pay professional security firms to audit the project’s code. The foundation will also work with project maintainers to support and implement patches and manage disclosures, while also paying for patch verification to ensure identified bugs have been fixed. .
The initial fund will cover audits of some widely used open source libraries and programs.
This decision is a recognition of the growing use of open source software for mission-critical applications and services by businesses, governments and educational institutions. “From Google and Microsoft to the United Nations, open source code is now tightly integrated into the fabric of software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – operates using open source technologies,” wrote Chris Riley, public policy manager at Mozilla. in a blog post on Thursday.
Mozilla hopes companies and governments that use open source will join in and provide additional funding for the project.
In testing the SOS program on three open-source software, Mozilla said it found and fixed 43 bugs, including one critical vulnerability and two issues with a widely used image file format. “These early results support our investment hypothesis, and we’re excited to learn more as we open applications,” Riley wrote.
The SOS fund “fills a critical gap in cybersecurity by creating incentives to find bugs in open source and enabling people to fix them,” said James A. Lewis, senior vice president and program director. strategic technologies at the Center for Strategic and International. Studies, in a press release.
Paying people to find bugs in software, sometimes in the form of challenges, has become common practice, with many companies, including Google, having bug bounty programs.
The Linux Foundation has a Basic Infrastructure Initiative which also aims to secure key open-source projects, working with technology companies like Amazon Web Services, Cisco, Google and Facebook. The CII, implemented in April 2014, was a response to the Heartbleed bug.
Describing CII as focused on “necessary and deep investments in core operating system security infrastructure, such as in OpenSSL”, Mozilla said the role of SOS is complementary as it targets “a different class of OSS projects with fruit security needs at hand”.
The SOS is part of a larger program, called Mozilla Open Source Support, launched by Mozilla in October last year to support the development of open source and free software. MOUSSE has an annual budget of approximately $3 million.
To qualify for SOS funding, the software must be open source or free software, with appropriate licenses and approvals, and must be actively maintained. Some of the other factors that will be taken into account are whether a project is already supported by the company, how often the software is used, whether it is connected to the network or regularly deals with untrusted data, and its importance to the continued operation of the Internet or the Web. .
Copyright © 2016 IDG Communications, Inc.