The Mozilla Foundation has set up the Secure Open Source (SOS) Fund, whose aim is to help open source software projects get rid their code of vulnerabilities.
“The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs,” Chris Riley, Mozilla’s Head of Public Policy, explained.
“But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support.”
Projects that want Mozilla’s help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if the software is commonly used and is vital to the continued functioning of the Internet or the Web.
The application form can be found here.
Projects that make the cut will get the following:
- A professional security firm will audit their code
- Mozilla’s help with implementing the fixes and managing bug disclosure
- Another code audit to make sure that the fixes work as they should.
Three open source projects – PCRE, libjpeg-turbo, and phpMyAdmin – have already gone through the process, and the result was 43 vulnerabilities fixed (including one critical).
“We’ve been asked how this project compares to the Core Infrastructure Initiative of the Linux Foundation. Here’s a short answer: We believe our model of support is different from and complementary to CII’s,” Mozilla noted.
“We view CII as focused on necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL. This is important work. Focusing on more point-in-time solutions, the SOS Fund’s audit and remediation methodology targets a different class of OSS projects with lower-hanging fruit security needs. To have substantial and lasting benefit in tackling such a significant issue as open source security, we need a broad range of solutions, including investment, audits, education, best practices, and a host of others. We believe the SOS Fund, alongside CII and other efforts, can help catalyze industry momentum to strengthen open source security.”