A while back we covered oCERT, an interesting security reporting and response effort dedicated strictly to open source security problems. Mandriva, Open BSD and other players are members of oCERT. At the time we covered oCERT before, Google's Will Drewry was one of the early participants in the effort, and now Google is stepping up to the plate to become one of three sponsors of oCERT. WIth financial backing from Google, given its long-standing supportive stance toward open source, new systems for distributing patches and many more good things could arrive for OSS applications and platforms.
According to a post from Drewry on Google's security blog:
"I'm proud to announce that Google has sponsored participation in oCERT, the open source computer emergency response team. oCERT is a volunteer workforce of security professionals from the open source community with the goal of providing security vulnerability mediation and incident response services to open source projects."
"It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn't have a background in security. Reliable contacts for projects, publishers, and vendors will be maintained where possible and used for notification when issues arise and fixes are available for mediated issues. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises."
Inverse Path and the Open Source Lab are the other sponsors of oCERT, which now looks like it's to be taken seriously. Many nations, of course, have CERT programs to provide emergency response when technology goes awry, but none of those teams have specialized in open source security.
Furthermore, while large teams of developers often help protect the security of open source applications and platforms, there is often no one person who is accountable for the security of a particular application or operating system. Also, there is often no systematic way of distributing patches to the user community, as there is for, say, Windows.
Thus far, oCERT has published only four security advisories. It would be encouraging to see the organization get going with regular patches and advisories about them. Still, it's good news to see this effort picking up steam, and Google's sponsorship should keep it going for a long time.
Comments
Share Your Comments
Trackback URL
http://ostatic.com/trackback/161296