MOSS/Secure Open Source

From MozillaWiki
Jump to: navigation, search

The Secure Open Source ("SOS") track of MOSS supports security audits for open source software projects, and remedial work to rectify the problems found.

You can read about the audits we've completed so far.

Project Criteria

The SOS Fund has a very limited set of solid rules:

  • The software must be open source/free software, with a license which is OSI-certified and/or FSF-approved
  • The software must be actively maintained

Selection Criteria

We have a series of factors we consider when evaluating an application. For example:

  • How commonly used is the software?
  • Is the software network-facing or does it regularly process untrusted data?
  • How vital is the software to the continued functioning of the Internet or the Web?
  • Does the software depend on closed-source code, e.g. in a web service?
  • Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
  • Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
  • Does the software have existing corporate backing or involvement?

The answers to such questions are often not “yes” or “no”, but matters of degree, and so Mozilla will take the entire picture into account when assessing projects.

How To Apply

At this time, candidates for an award are chosen by Mozilla. If you have a suggestion for a project which you think meets the criteria above, and where an audit might particularly benefit the project and the Internet community, please fill in this form.

If you have questions, please feel free to contact us, sosfund at mozilla dot com.

FAQ

We've been asked how this project compares to the Core Infrastructure Initiative of the Linux Foundation. Here's a short answer: We believe our model of support is different from and complementary to CII's. We view CII as focused on necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL. This is important work. Focusing on more point-in-time solutions, the SOS Fund's audit and remediation methodology targets a different class of OSS projects with lower-hanging fruit security needs, using an open public-facing application form. To have substantial and lasting benefit in tackling such a significant issue as open source security, we need a broad range of solutions, including investment, audits, education, best practices, and a host of others. We believe the SOS Fund, alongside CII and other efforts, can help catalyze industry momentum to strengthen open source security.