Mozilla creates open source security fund in bid to prevent another Heartbleed

[Batu69]

BROWSER MAKER Mozilla has created the Secure Open Source Fund to ensure that open source code is kept secure and to prevent another Heartbleed or Shellshock vulnerability. 

The $500,000 fund will "provide security auditing, remediation and verification for key open source software projects", according to Chris Riley, head of public policy at Mozilla. 

 

Riley explained on the Mozilla blog that the initial funding, which will cover audits of some of the most widely used code, is just the start and that he hopes other organisations will contribute.

 

"We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to help secure the internet," he said.

 

Mozilla has already audited three pieces of open source software and discovered 43 bugs, including one critical vulnerability in the C library PCRE.

There is no evidence that closed source software is any more secure than open source (after all, how would anyone know?), but Linus Torvalds' famous saying: "Given enough eyeballs, all bugs are shallow" has taken a bit of a beating in recent years.

 

Critical faults have been discovered in vital software such as OpenSSL, glibc and Xen, many of which had gone undetected for years.

The need for improved security in open source was recognised last year by Jim Zemlin, executive director of the Linux Foundation.

 

"The open source software we all rely on every day in some cases is maintained by a small group of people, or even a single person," he said.

"OpenSSL, for a long time, was maintained by two guys named Steve. That means that the internet for a long period of time was secured by those two guys. OpenSSH, the way to have secure communications between servers, was maintained by one guy working part time."

 

The Linux Foundation created the Core Infrastructure Initiative (CII) to address these concerns. It is not clear how CII and the Secure Open Source Fund will work together.

 

Article source