Mozilla announces new fund to improve open source security

The Secure Open Source Fund will 'provide security auditing, remediation, and verification for key open source software projects'

Mozilla has created a $500,000 fund to help to ensure the security and viability of key open source projects.

The Secure Open Source (SOS) Fund will "provide security auditing, remediation, and verification for key open source software projects", according to Chris Riley, head of public policy.

Writing on the Mozilla blog, Riley said that the initial funding, which will cover audits of some of the most widely used code, is just the start and that he hopes other organisations will contribute.

"We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the internet," Riley said.

Mozilla has already audited three pieces of open-source software and discovered 43 bugs, including one critical vulnerability in the C library PCRE.

While there is no evidence that closed source software is any more secure than open source (after all, how would anyone know?), Linus Torvalds' famous saying that "given enough eyeballs, all bugs are shallow" has taken a bit of a beating in recent years, with critical faults being discovered in crucial software such as OpenSSL, glibc and Xen, many of which had exisited, undetected, for years.

The need for improved security in open source was recognised by the executive director of the Linux Foundation Jim Zemlin last year when he said: "The open source software we all rely on every day in some cases is maintained by a small group of people, or even a single person."

Zemlin continued: "OpenSSL, for a long time, was maintained by two guys named Steve. That means that the internet for a long period of time was secured by those two guys. OpenSSH, the way to have secure communications between servers, was maintained by one guy working part time."

The Linux Foundation created the Core Infrastructure Initiative (CII) to address these concerns. It is not clear how CII and SOS will work together.