A new program, Secure Open Source, aims to discover and remediate serious vulnerabilities in common open source software.
In a blog post on Thursday, Mozilla’s Chris Riley said “From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet—including the network infrastructure that supports it—runs using open source technologies.”
Toward that end, Mozilla has committed $500,000 in initial funds to be used to pay professional security firms to audit open source project code. The effort is part of the Mozilla Open Source Support program (MOSS). Mozilla says it will work with the project maintainer(s) to support and implement fixes, and to manage disclosure; and will pay for the remediation work to be verified, to ensure any identified bugs have been fixed.
Initial audits are planned for widely-used open source libraries and programs. Already three open source projects, PCRE, libjpeg-turbo, and phpMyAdmin, have been audited. “In those audits we uncovered and addressed a total of 43 bugs, including one critical vulnerability and two issues with a widely-used image file format,” Riley wrote. “These initial results confirm our investment hypothesis, and we’re excited to learn more as we open for applications.”
Heartbleed, a critical vulnerability in the SSL heartbeat feature implemented in OpenSSL, was co-discovered through fuzz testing by Codenomicon (now Synopsys) in April 2014. The vulnerability initially affected 600,000 IP addresses worldwide. Despite free tools to remediate it, Heartbleed still affects more than 200,000 IP addresses today, according to security researcher Billy Rios.