New Mozilla fund will pay for security audits of open-source code

09.06.2016
A new Mozilla fund, called Secure Open Source, aims to provide security audits of open-source code, following the discovery of critical security bugs like Heartbleed and Shellshock in key pieces of the software.

Mozilla has set up a US$500,000 initial fund that will be used for paying professional security firms to audit project code. The foundation will also work with the people maintaining the project to support and implement fixes and manage disclosures, while also paying for the verification of the remediation to ensure that identified bugs have been fixed.

The initial fund will cover audits of  some widely-used open source libraries and programs. 

The move is a recognition of the growing use of open-source software for critical applications and services by  businesses, government and educational institutions. “From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet - including the network infrastructure that supports it - runs using open source technologies,” wrote Chris Riley, Mozilla’s head of public policy in a blog post Thursday.

Mozilla is hoping that the companies and governments that use open source will join it and provide additional funding for the project.

In a trial of the SOS program on three pieces of open-source software, Mozilla said it found and fixed 43 bugs, including a critical vulnerability and two issues in connection with a widely-used image file format. “These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications,” Riley wrote.

The SOS fund "fills a critical gap in cybersecurity by creating incentives to find the bugs in open source and letting people fix them," said James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, in a statement.

Paying people to find bugs in software, sometimes in the form of challenges, has become common practice, with many companies including Google having bug bounty programs.

The Linux Foundation has a Core Infrastructure Initiative that also aims to secure key open-source projects, in collaboration with technology companies like Amazon Web Services, Cisco, Google and Facebook. The CII, set up in April 2014,  was a response to the Heartbleed bug.

Describing the CII as focused on "necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL," Mozilla said the role of SOS is complementary as it targets "a different class of OSS projects with lower-hanging fruit security needs."

The SOS is part of a larger program, called Mozilla Open Source Support, launched by Mozilla in October last year to support open source and free software development. MOSS has an annual budget of about $3 million.

To qualify for SOS funding, the software must be open source or free software, with the appropriate licenses and approvals, and must be actively maintained. Some of the other factors that will be considered are whether a project is already corporate backed, how commonly is the software used, whether it is network-facing or regularly processes untrusted data, and its importance to the continued functioning of the Internet or the Web.

John Ribeiro