U.S. Funds Open Source Security Hub
Source: SecurityFocus
Conventional wisdom has long held that open source software garners extra security from the sheer number of people who are free to review the code -- "Many eyes make all bugs shallow," the adage goes. The reality is often different; it turns out many of those eyes have little interest in the thankless task of examining other people's code for security holes.
But now the "many eyes" school of software security may become more than a theory, thanks to a reward system devised by a Oregon-based computer scientist and funded by the U.S. Defense Department, which was announced over security mailing lists Tuesday.
Part software development system and part psychological gambit, the Sardonix project would replace the current loosely-structured open source security review process with a central Web site that tracks which code has been audited for security holes, and by whom. An automated reward loop grants points to volunteer auditors according to the amount of code they've examined, and the number of security holes they've found. Auditors lose points if a subsequent audit by someone else turns up bugs they missed.