Open-source bug hunt project expands

Bug tally is at 6,000 on the first anniversary of government-sponsored project, which is adding more open-source code to scan.
Written by Joris Evers, Contributor
A year after its original launch, a U.S. government-backed project that scans open-source code for flaws is expanding.

The effort, supported by a research contract from the U.S. Department of Homeland Security, is now scanning code of 150 open-source projects, up from the original 50.

"This allows open-source developers to find and resolve defects introduced into the project," David Maxwell, open-source strategist for Coverity, said in a statement. Coverity makes source-code analysis tools and shares the DHS contract with Stanford University and Symantec.

Since the start of the project, 6,000 bugs that were found have been fixed, according to Coverity. About 700 developers are now registered to access the bug data and 35 million lines of code are scanned every day, the company said.

New open-source projects added to the bug hunt effort include "zlib," a compression program used in many applications, as well as FreeRadius, an application that provides authentication.

Coverity has updated its scan.coverity.com Web site to give a graphical overview of the flaws that were found. The company plans to further increase the number of open-source projects it scans. It has yet to decide which ones.

The bug hunt is part of a three-year "Open Source Hardening Project" dedicated to helping make such software as secure as possible. In January 2006, the U.S. Department of Homeland Security awarded $1.24 million to Stanford, Coverity and Symantec to find vulnerabilities in open-source projects.

Editorial standards