Mozilla May Be Pleased to Pay For Your Open Source Security Audit
You can always count on Mozilla for an interesting spin on open source. The company has launched the Secure Open Source (SOS) Fund to give open source developers the money to pay for hardened security audits of their software.
Chris Riley, Head of Public Policy at Mozilla said in a post that the SOS fund, part of the Mozilla Open Source Support program (MOSS), will be targeted at developers who need muscular help in improving the security of their open source projects.
He writes that Heartbleed and other security incidents helped prompt the new idea:
"Major security bugs in core pieces of open source software – such as Heartbleed and Shellshock – have elevated highly technical security vulnerabilities into national news headlines. Despite these sobering incidents, adequate support for securing open source software remains an unsolved problem, as a panel of 32 security professionals confirmed in 2015. We want to change that, starting today with the creation of the Secure Open Source (“SOS”) Fund aimed at precisely this need."
"The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet."
Mozilla says it is focusing on three goals:
Mozilla will contract with and pay professional security firms to audit other projects’ code;
Mozilla will work with the project maintainer(s) to support and implement fixes, and to manage disclosure; and
Mozilla will pay for the remediation work to be verified, to ensure any identified bugs have been fixed.
"We have already tested this process with audits of three pieces of open source software," Mozilla reports. "In those audits we uncovered and addressed a total of 43 bugs, including one critical vulnerability and two issues with a widely-used image file format. These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications."
If you’re a developer, you can apply for support from Mozilla. And the company is looking for potential funders of the initiative to join.