Mozilla launches new fund to help prevent the next Heartbleed

heartbleedMozilla today announced that it is launching the Secure Open Source (SOS) Fund to help make open source code more secure. The fund, which will get an initial grant $500,000 from the Mozilla Open Source Support program, aims to prevent the next Heartbleed or Shellshock by providing open source projects with the means to audit and fix their code.

Mozilla is also asking the corporations and educational and government institutions that benefit from open source to join the fund. “We challenge these beneficiaries of open source to pay it forward and help secure the Internet,” Mozilla’s Chris Riley writes today.

In practice, this means the SOS Fund will pay security firms to audit other projects’ code and then work with the project maintainers to implement fixes and manage disclosure. The organization will also pay to verify these fixes.

Mozilla says it already tested this process with three projects (PCRE, libjpeg-turbo and phpMyAdmin). Over the course of these first tests, the process found 43 bugs, including one critical vulnerability. For these initial tests, Mozilla worked with Cure53 and NCC Group.

“So much of the code we rely on uses open source software. It’s embedded in commercial products and provides for key internet operations,” said James A. Lewis, senior vice president and director for the Strategic Technologies Program at the Center for Strategic and International Studies in a statement today. “This software is often neglected when it comes to patching and updating. All software has exploitable flaws – it’s the nature of coding.  Left unattended, these bugs create opportunities for crime and disruption. Mozilla’s SOS fund fills a critical gap in cybersecurity by creating incentives to find the bugs in open source and letting people fix them.”

Developers who want to submit their code for these security audits can apply for support. To be considered, their code obviously has to be open source and must be actively maintained. Mozilla notes that it will also consider how commonly the software is used and how vital it is “to the continued functioning of the Internet or the Web.”