Mozilla launches Secure Open Source (SOS) Fund
Open source software is ideal for security. Its transparency allows code to be publicly reviewed and audited. This not only helps to detect bugs and vulnerabilities, but intentional backdoors too. In contrast, closed source software can be a mystery to users -- who knows what is lurking in your favorite such programs?
Unfortunately, auditing open source software takes resources. While everyone has the freedom to review code, most consumers do not know how to do so, meaning things can be hiding in plain sight because folks with the know-how don't have the time to look at it. Thankfully, Mozilla is aiming to increase resources with its newly-formed Secure Open Source (SOS) Fund. To show just how committed the Firefox-maker is to the cause, it has already earmarked a half million dollars.
"Major security bugs in core pieces of open source software -- such as Heartbleed and Shellshock -- have elevated highly technical security vulnerabilities into national news headlines. Despite these sobering incidents, adequate support for securing open source software remains an unsolved problem, as a panel of 32 security professionals confirmed in 2015. We want to change that, starting today with the creation of the Secure Open Source ('SOS') Fund aimed at precisely this need", says Chris Riley, Head of Public Policy, Mozilla.
Riley further says, "The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet".
Mozilla explains that the fund has three major focuses, as listed below.
- Mozilla will contract with and pay professional security firms to audit other projects' code;
- Mozilla will work with the project maintainer(s) to support and implement fixes, and to manage disclosure;
- Mozilla will pay for the remediation work to be verified, to ensure any identified bugs have been fixed.
What's cool is Mozilla is not simply focusing on shining a light on a bug and wiping its hands. Instead, the SOS fund will contribute to fixing the software too.
Keep in mind, folks, many major companies use open source software in end-user programs and apps -- this will not only protect Linux nerds, but all computer users. Mozilla deserves major kudos here.
What do you think of this new SOS fund? Tell me in the comments.