Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Launches Secure Open Source Fund

In an effort to help secure open source software, Mozilla this week announced the creation of Secure Open Source (“SOS”) Fund, which kicks off with an initial $500,000 grant.

In an effort to help secure open source software, Mozilla this week announced the creation of Secure Open Source (“SOS”) Fund, which kicks off with an initial $500,000 grant.

The SOS Fund was created to support security auditing, remediation, and verification for open source software projects, in an attempt to prevent major vulnerabilities from slipping into them, as Heartbleed and Shellshock have in the past. According to Mozilla, there hasn’t been adequate support for securing open source software until now, and the new initiative aims at changing that.

The Fund is part of the Mozilla Open Source Support program (MOSS), and the initial $500,000 funding should cover audits of a series of widely-used open source libraries and programs, Mozilla said. However, Mozilla challenges the millions of organizations out there that leverage open source software to join the initiative and provide additional financial support.

“Open source software is used by millions of businesses and thousands of educational and government institutions for critical applications and services. From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – runs using open source technologies,” Chris Riley, Head of Public Policy, Mozilla, notes in a blog post.

The organization also notes that security is a process that requires investments in various areas, including education and best practices, to deliver substantial and lasting benefits. The newly announced Fund is expected to deliver “short-term benefits and industry momentum to help strengthen open source projects,” Riley says.

According to Riley, Mozilla is committed to contract with and pay professional security firms to audit the code of other open source projects, as well as to work with project maintainers to support and implement fixes, and to manage disclosure. The organization will pay for the verification of remediation work too, thus making sure that any identified bugs have been fixed.

Mozilla has already tried out the initiative with audits of three pieces of open source software and says that the process resulted in a total of 43 bugs being uncovered and addressed. One of these was a critical vulnerability, while other two were issues affecting a widely-used image file format (found in the libjpeg-turbo library, they were issues with the JPEG standard itself).

“These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” Riley says. He also notes that, since everybody relies on open source software, companies and funders should show interest in securing the ecosystem, while developers should apply for support.

In a statement supporting the initiative, James A. Lewis, Senior Vice President and Director, Strategic Technologies Program, Center for Strategic and International Studies, notes that commercial products and key Internet operations rely on open source software but that there’s little interest in patching and updating. He also points out that all software has exploitable flaws, and that this is natural when it comes to coding, but that these bugs create opportunities for crime and disruption if left unattended.

Related: Google Open Sources Vendor Security Assessment Framework

Related: Password Cracking Tool Hashcat Goes Open Source

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.