Major security bugs in core pieces of open source software – such as Heartbleed and Shellshock – have elevated highly technical security vulnerabilities into national news headlines. Despite these sobering incidents, adequate support for securing open source software remains an unsolved problem, as a panel of 32 security professionals confirmed in 2015. We want to change that, starting today with the creation of the Secure Open Source (“SOS”) Fund aimed at precisely this need.
Open source software is used by millions of businesses and thousands of educational and government institutions for critical applications and services. From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – runs using open source technologies. As the Internet moves from connecting browsers to connecting devices (cars and medical equipment), software security becomes a life and death consideration.
The SOS Fund will provide security auditing, remediation, and verification for key open source software projects. The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs. But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the Internet.
Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices, and a host of other areas. Yet we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects.
Mozilla is committed to tackling the need for more security in the open source ecosystem through three steps:
- Mozilla will contract with and pay professional security firms to audit other projects’ code;
- Mozilla will work with the project maintainer(s) to support and implement fixes, and to manage disclosure; and
- Mozilla will pay for the remediation work to be verified, to ensure any identified bugs have been fixed.
We have already tested this process with audits of three pieces of open source software. In those audits we uncovered and addressed a total of 43 bugs, including one critical vulnerability and two issues with a widely-used image file format. These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications.
We all rely on open source software. We invite other companies and funders to join us in securing the open source ecosystem. If you’re a developer, apply for support! And if you’re a funder, join us. Together, we can have a greater impact for the security of open source systems and the Internet as a whole.