New Mozilla fund will pay for security audits of open-source code

The project will have a US$500,000 fund to start with

A new Mozilla fund, called Secure Open Source, aims to provide security audits of open-source code, following the discovery of critical security bugs like Heartbleed and Shellshock in key pieces of the software.

Mozilla has set up a US$500,000 initial fund that will be used for paying professional security firms to audit project code. The foundation will also work with the people maintaining the project to support and implement fixes and manage disclosures, while also paying for the verification of the remediation to ensure that identified bugs have been fixed.

The initial fund will cover audits of some widely-used open source libraries and programs.

The move is a recognition of the growing use of open-source software for critical applications and services by businesses, government and educational institutions. “From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet - including the network infrastructure that supports it - runs using open source technologies,” wrote Chris Riley, Mozilla’s head of public policy in a blog post Thursday.

Mozilla is hoping that the companies and governments that use open source will join it and provide additional funding for the project.

In a trial of the SOS program on three pieces of open-source software, Mozilla said it found and fixed 43 bugs, including a critical vulnerability and two issues in connection with a widely-used image file format. “These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” Riley wrote.

The SOS fund "fills a critical gap in cybersecurity by creating incentives to find the bugs in open source and letting people fix them," said James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, in a statement.

Paying people to find bugs in software, sometimes in the form of challenges, has become common practice, with many companies including Google having bug bounty programs.

The Linux Foundation has a Core Infrastructure Initiative that also aims to secure key open-source projects, in collaboration with technology companies like Amazon Web Services, Cisco, Google and Facebook. The CII, set up in April 2014, was a response to the Heartbleed bug.

Describing the CII as focused on "necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL," Mozilla said the role of SOS is complementary as it targets "a different class of OSS projects with lower-hanging fruit security needs."

The SOS is part of a larger program, called Mozilla Open Source Support, launched by Mozilla in October last year to support open source and free software development. MOSS has an annual budget of about $3 million.

To qualify for SOS funding, the software must be open source or free software, with the appropriate licenses and approvals, and must be actively maintained. Some of the other factors that will be considered are whether a project is already corporate backed, how commonly is the software used, whether it is network-facing or regularly processes untrusted data, and its importance to the continued functioning of the Internet or the Web.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Ribeiro

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?