Firefox creator wants to save open source by starting fund to help community prevent security threats
Firefox maker Mozilla has launched a fund to try and make sure open source software projects stay secure.
The SOS (Secure Open Source) Fund is one part of Mozilla’s wider open source support program called MOSS, and is launched with $500,000 (£350,000) of initial funding.
This cash, according to Mozilla, will go towards “security auditing, remediation, and verification for key open source software projects”.
Mozilla’s Chris Riley penned a blog post this week to announce the fund, where he explained how adequate support for securing open source software is still a problem unsolved, and that the SOS Fund can be the beginning of a change.
“We want to see the numerous companies and governments that use open source join us and provide additional financial support,” said Riley.
“We challenge these beneficiaries of open source to pay it forward and help secure the Internet.”
Firstly, Mozilla will contract with and pay professional security firms to audit other projects’ code. Mozilla will also work with project maintainers to support and implement fixes and manage disclosure.
Lastly, Mozilla said it will help pay for the remediation work to be verified and ensure any bugs have been fixed.
According to Riley, Mozilla has already tested this process with the audits of three pieces of software.
“In those audits we uncovered and addressed a total of 43 bugs, including one critical vulnerability and two issues with a widely-used image file format. These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” he said.
Major security bugs in open source software have been a pain point for the online community for some time now. Flaws such as Heartbleed and Shellshock have not only put users at risk but confirm naysayer opinions that open source software cannot be successful or safe.
Last October, executive director of the Linux Foundation Jim Zemlin said that there needs to be more security education in the open source software community.
Speaking at a keynote during London’s IP Expo, Zemlin said: “Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet.”
Linux’s answer to this was the Core infrastructure Initiative (CII), a Linux-Foundation led initiative to improve open source security.
The CII offers testing tools and has also launched accreditation programmes for projects that adhere to certain criteria.
“We want to find the projects on the Internet that are broken and fix them. We have raised a multi-million fund to provide grants to projects to help them out,” he said.