In an effort to help secure open source software, Mozilla this week announced the creation of Secure Open Source (“SOS”) Fund, which kicks off with an initial $500,000 grant.
The SOS Fund was created to support security auditing, remediation, and verification for open source software projects, in an attempt to prevent major vulnerabilities from slipping into them, as Heartbleed and Shellshock have in the past. According to Mozilla, there hasn’t been adequate support for securing open source software until now, and the new initiative aims at changing that.
The Fund is part of the Mozilla Open Source Support program (MOSS), and the initial $500,000 funding should cover audits of a series of widely-used open source libraries and programs, Mozilla said. However, Mozilla challenges the millions of organizations out there that leverage open source software to join the initiative and provide additional financial support.
“Open source software is used by millions of businesses and thousands of educational and government institutions for critical applications and services. From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – runs using open source technologies,” Chris Riley, Head of Public Policy, Mozilla, notes in a blog post.
The organization also notes that security is a process that requires investments in various areas, including education and best practices, to deliver substantial and lasting benefits. The newly announced Fund is expected to deliver “short-term benefits and industry momentum to help strengthen open source projects,” Riley says.
According to Riley, Mozilla is committed to contract with and pay professional security firms to audit the code of other open source projects, as well as to work with project maintainers to support and implement fixes, and to manage disclosure. The organization will pay for the verification of remediation work too, thus making sure that any identified bugs have been fixed.
Mozilla has already tried out the initiative with audits of three pieces of open source software and says that the process resulted in a total of 43 bugs being uncovered and addressed. One of these was a critical vulnerability, while other two were issues affecting a widely-used image file format (found in the libjpeg-turbo library, they were issues with the JPEG standard itself).
“These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” Riley says. He also notes that, since everybody relies on open source software, companies and funders should show interest in securing the ecosystem, while developers should apply for support.
In a statement supporting the initiative, James A. Lewis, Senior Vice President and Director, Strategic Technologies Program, Center for Strategic and International Studies, notes that commercial products and key Internet operations rely on open source software but that there’s little interest in patching and updating. He also points out that all software has exploitable flaws, and that this is natural when it comes to coding, but that these bugs create opportunities for crime and disruption if left unattended.
Related: Google Open Sources Vendor Security Assessment Framework