The Mozilla Foundation has launched the Secure Open Source (SOS) Fund to help fund audits of open-source software.
SOS, which is part of the Mozilla Open Source Support (MOSS) program, is making $500,000 available to open-source software makers to ensure that their work is clear of any bugs, and to avoid a repeat of Heartbleed or Shellshock.
“The SOS Fund will provide security auditing, remediation, and verification for key open-source software projects,” said Chris Riley, head of public policy at Mozilla. The fund is starting at half a million dollars but the Mozilla Foundation is encouraging companies and government to put money forward to fund software security research.
The SOS Fund will work in three stages. Mozilla with enlist and pay for the services of security firms to carry out audits on other people’s code. After the audit is completed Mozilla will work with the code creator to implement the fixes. And Mozilla will pay for this remediation to be verified to ensure that all bugs have been fixed thoroughly.
This process has already been carried out on three different open-source software projects to identify vulnerabilities. “In those audits we uncovered and addressed a total of 43 bugs, including one critical vulnerability and two issues with a widely used image file format,” said Riley. “These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications.” Applications for funding are open now.
Open-source software relies on collaboration and user involvement to identify and act on bugs. This has become more and more important as open source has become the norm compared to several years ago. However a robust security audit still costs money, and for many smaller software developers this can be prohibitively expensive. For these developers, Mozilla’s new fund will be welcome news but the fund will need more backers in the future to keep it alive and available to a wide audience of software creators.