Confirmed users
130
edits
MOSS/Secure Open Source: Difference between revisions
m
→FAQ
No edit summary |
m (→FAQ) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
The Secure Open Source ("SOS") track of MOSS supports security audits for open source software projects, and remedial work to rectify the problems found. | The Secure Open Source ("SOS") track of MOSS supports security audits for open source software projects, and remedial work to rectify the problems found. | ||
You can read about the [[MOSS/Secure Open Source/Completed|audits we've completed so far]]. | |||
==Project Criteria== | ==Project Criteria== | ||
SOS has a very limited set of solid rules: | The SOS Fund has a very limited set of solid rules: | ||
* The software must be open source/free software, with a license which is OSI-certified and/or FSF-approved | * The software must be open source/free software, with a license which is OSI-certified and/or FSF-approved | ||
| Line 16: | Line 18: | ||
* How vital is the software to the continued functioning of the Internet or the Web? | * How vital is the software to the continued functioning of the Internet or the Web? | ||
* Does the software depend on closed-source code, e.g. in a web service? | * Does the software depend on closed-source code, e.g. in a web service? | ||
* Are the software’s maintainers aware of and supportive of the application for support from SOS? | * Are the software’s maintainers aware of and supportive of the application for support from the SOS fund? | ||
* Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where? | * Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where? | ||
* Does the software have existing corporate backing or involvement? | * Does the software have existing corporate backing or involvement? | ||
| Line 24: | Line 26: | ||
==How To Apply== | ==How To Apply== | ||
At this time, candidates for | At this time, candidates for an award are chosen by Mozilla. If you have a suggestion for a project which you think meets the criteria above, and where an audit might particularly benefit the project and the Internet community, please [https://docs.google.com/forms/d/1f0xSg9XM8v7YGdZ_FzeE67ggckbAsg6sH1mpQ4buTQE/viewform fill in this form]. | ||
If you have questions, please feel free to contact us, sosfund at mozilla dot com. | |||
==FAQ== | |||
We've been asked how this project compares to the [https://www.coreinfrastructure.org/ Core Infrastructure Initiative] of the Linux Foundation. Here's a short answer: We believe our model of support is different from and complementary to CII's. We view CII as focused on necessary, deeper-dive investments into the core OS security infrastructure, like in OpenSSL. This is important work. Focusing on more point-in-time solutions, the SOS Fund's audit and remediation methodology targets a different class of OSS projects with lower-hanging fruit security needs, using an open public-facing application form. To have substantial and lasting benefit in tackling such a significant issue as open source security, we need a broad range of solutions, including investment, audits, education, best practices, and a host of others. We believe the SOS Fund, alongside CII and other efforts, can help catalyze industry momentum to strengthen open source security. | |||