Menu
New Mozilla fund will pay for security audits of open-source code

New Mozilla fund will pay for security audits of open-source code

The project will have a US$500,000 fund to start with

A new Mozilla fund, called Secure Open Source, aims to provide security audits of open-source code, following the discovery of critical security bugs like Heartbleed and Shellshock in key pieces of the software.

Mozilla has set up a US$500,000 initial fund that will be used for paying professional security firms to audit project code. The foundation will also work with the people maintaining the project to support and implement fixes and manage disclosures, while also paying for the verification of the remediation to ensure that identified bugs have been fixed.

The initial fund will cover audits of some widely-used open source libraries and programs.

The move is a recognition of the growing use of open-source software for critical applications and services by businesses, government and educational institutions. “From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet - including the network infrastructure that supports it - runs using open source technologies,” wrote Chris Riley, Mozilla’s head of public policy in a blog post Thursday.

Mozilla is hoping that the companies and governments that use open source will join it and provide additional funding for the project.

In a trial of the SOS program on three pieces of open-source software, Mozilla said it found and fixed 43 bugs, including a critical vulnerability and two issues in connection with a widely-used image file format. “These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” Riley wrote.

The SOS fund "fills a critical gap in cybersecurity by creating incentives to find the bugs in open source and letting people fix them," said James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, in a statement.

Paying people to find bugs in software, sometimes in the form of challenges, has become common practice, with many companies including Google having bug bounty programs.

The Linux Foundation has a Core Infrastructure Initiative that also aims to secure key open-source projects, in collaboration with technology companies like Amazon Web Services, Cisco, Google and Facebook. The CII, set up in April 2014, was a response to the Heartbleed bug.

Describing the CII as focused on "necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL," Mozilla said the role of SOS is complementary as it targets "a different class of OSS projects with lower-hanging fruit security needs."

The SOS is part of a larger program, called Mozilla Open Source Support, launched by Mozilla in October last year to support open source and free software development. MOSS has an annual budget of about $3 million.

To qualify for SOS funding, the software must be open source or free software, with the appropriate licenses and approvals, and must be actively maintained. Some of the other factors that will be considered are whether a project is already corporate backed, how commonly is the software used, whether it is network-facing or regularly processes untrusted data, and its importance to the continued functioning of the Internet or the Web.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments