Linux, Android, Mozilla and their partners are rallying to secure the open source ecosystem. The community doesn’t want to be responsible for all the problems and is well aware that its model is the cornerstone of the entire digital sector. Maximum awareness and vigilance have become essential key factors. And combatting system flaws requires several million dollar budgets.
aspect of the digital era is safe from security threats. Vulnerabilities and attacks of varying degrees of seriousness are discovered almost every day, and many of them affect infrastructures and open source software development.
Open source: a victim of its own success?
Open source has become a standard, a driving force for digital transformation; “these technologies are the backbone of businesses”, said the president of the Open World Forum in 2014. Users of this model share their ability to innovate and reduce the time-to-market, and their “out-of-the-box” view. As for security, the responsiveness of contributors is efficient, especially in cases of flaw detection or hacking. For the main open source players, upstream security has become a priority, and they are investing accordingly.
The Linux Core Infrastructure Initiative (CII)
In March 2014, the world discovered Heartbleed, a vulnerability unintentionally introduced in the OpenSLL cryptographic system. It allowed passwords and sensitive data to be collected from several thousand supposedly secure servers, with no clue of the hacker’s identity. This flaw could have led to an unprecedented crisis.
The Linux Core Infrastructure Initiative was created after this electroshock. Coordinated by Linux, this organisation supports and finances security-related projects, by including IT heavyweights. They answered by investing several million dollars. The CII includes Amazon, Cisco, Qualcomm, VMware, Dell, Google, Facebook, Microsoft, Intel, Huawei, etc.
Audits, patches, sharing best practices, encouraging accountability: the experts of CII members use all possible means to inform the community and secure the very design of all open source projects. The CII’s first visible action was giving a “badge” to several open source solutions that comply with best practices and coding quality. In addition to these badges, the CII has launched several programmes for system verification, best practices and tool development analysis.
Android: the bug-hunt is on
Google’s mobile OS often has security issues. It is also the main OS: 52 to 89% of mobile devices run it, according to the Kantar indicators.
The Android Security Rewards programme was launched in 2015, while the OS was significantly spreading on the market. It rewards developers who spot system flaws with bonuses ranging from $330 to $8,000, depending on the seriousness of the bug. According to Google, a year after the programme was launched, $550,000 were distributed to 82 contributors. The Android Security Rewards completes a similar initiative, the Google Vulnerability Rewards, launched in 2014 to ensure better security to google.com, YouTube and the platform Blogger.
In 2014, just after the Heartbleed crisis, Mozilla promised rewards of up to $10,000 to bug- detectors on Firefox. Since then, Mozilla has been focusing its actions on open source, first in 2015, with MOSS (Mozilla Open Source Support), a support programme for open source projects that helps with “the Internet’s good health”. This year, the organisation decided to allocate $500,000 to a new programme called SOS (Secure Open Source), which is entirely focused on security, by financing audits, patches and controlling sensitive projects, much like Linux’s CII but in a complementary way, according to Mozilla’s Wiki, because SOS is focused on concrete projects with a short-term impact.