Google has announced it is to sponsor oCERT, an open source computer emergency response team.
In a blog post on Monday, Google security engineer Will Drewry said that one of the problems with open source security was getting fixes out quickly to everybody using a particular piece of open source software.
"It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users," wrote Drewry. "Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?"
So, Google will donate some sponsorship to the oCERT project, to try to address some of these issues.
It's a shame Drewry declined to wade into the long-running debate about which is more secure, open source, or proprietary software.