Mozilla will foot the bill for your open source software security audit

The non-profit's new fund will be the starting point for improving the security of open-source software.
Written by Charlie Osborne, Contributing Writer

Mozilla has launched the Secure Open Source (SOS) Fund to give open-source software developers the revenue to pay for security audits.

Chris Riley, Head of Public Policy at Mozilla said on Thursday the SOS fund, part of the Mozilla Open Source Support program (MOSS), will be made available to applicants which need assistance in improving the security of their open-source projects.

Open-source software is widely used by companies and governments worldwide to underpin many services we use today, but due to the open nature of such software, reliance on volunteers and often little funding, vulnerabilities can be missed.

The fund could play a part in preventing catastrophic security failures affecting widely-used open-source software in the future. Heartbleed and Shellshock, for example, were dangerous vulnerabilities in Bash and OpenSSL, which affected software and libraries used in a variety of applications.

Riley commented:

"From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet -- including the network infrastructure that supports it -- runs using open source technologies.

As the Internet moves from connecting browsers to connecting devices (cars and medical equipment), software security becomes a life and death consideration."

Mozilla has allocated $500,000 in initial funding, which "will cover audits of some widely-used open source libraries and programs," according to the organization.

"Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas," Riley says. "Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open-source projects."

If an applicant to the fund is successful, Mozilla will contract and pay professional security firms to review the project's code, and will also work with the security team to implement fixes and manage disclosure.

The work done will also be verified to ensure security flaws have been patched properly.

The non-profit has already tested this idea with three open-source programs, the C library PCRE, a fork of the libjpeg codebase libjpeg-turbo and phpMyAdmin, a web-based admin tool for MySQL databases.

In these audits, Mozilla's security team discovered a total of 43 bugs, including one critical vulnerability and two important issues within a popular image file format.

Mozilla hopes that the SOS fund will act as the foundation for wider action to be taken to improve the security of open-source products, and invites companies and governments to contribute funding which will make more security audits and checks possible.

You can apply for the SOS fund here.

2016 Father's Day tech and gadgets gift guide

Editorial standards