Mozilla establishes fund for open source code security audits
Mozilla has established the Secure Open Source Fund. The aim of the fund is to pay for security audits for important open source projects. Mozilla hopes this will prevent new security incidents such as Heartbleed and Shellshock.
The SOS Fund is part of the Mozilla Open Source Support program and initially has half a million dollars. Mozilla hopes more organizations and governments will join the initiative to increase funding for audits.
With that money, Mozilla wants to let professional security companies scour code for problems. The organization then plans to work with the code project managers to address the issues and contribute to the disclosure of leaks. In addition, Mozilla is willing to pay for verification that the bug fixes actually work.
Mozilla commissioned three audits for the project, for Perl-Compatible Regular Expressions, libjpeg-turbo, and phpMyAdmin. 43 bugs have come to light, including a critical vulnerability. Open source software has permeated all layers of businesses, organizations and infrastructure, but despite that dependence, its security remains a largely unsolved problem.
However, the SOS Fund is not the first project to try to tackle this. The Linux Foundation started the Core Infrastructure Initiative in 2014 in collaboration with Cisco, Facebook and Google, among others, to screen open source projects for security vulnerabilities.