How to ensure the security of open source projects is a concern for many open source users including individual users and companies. But it's not an easy task to ensure the security of open source projects.
Because everyone can see the source code, there is much higher possibility that a bug may be found by someone. Once a bug is disclosed, people may exploit it and do evil things, this may cause loss of money either for individuals or companies, some of the bugs may even have big impact to the whole industry. For example, the recent HeartBleed bug in OpenSSL.
Also since many of the open source projects are free which are non profitable and they need lots of people to develop, test and support them. So the people who participate in the open source projects need to find other ways to make a living, this will distract them from putting too much energy on open source projects. That's why we often see some really important open source projects are developed and managed by a small group of people. This increases the risk of exposing bugs to outside world.
In order to improve the security of open source projects, we need to take actions in two directions. On one hand, technically developers should be more responsible for what they write and they need to run through tests and code review process before the code goes into publication. On the other hand, from a management point of view, since there are lack of manpower in some open source projects, a feasible solution is that big companies invest money and people on some important open source projects such as OpenSSL, and at the same time an independent third party manages the open source projects, make plans and coordinate developments etc. This will solve the money problem of open source projects and at the same time maintain the independence of the project. It will benefit both the investors(companies of course) and general public users.
Fortunately for the second proposal, people are aware of it now and begin to take actions. Some big companies include Google, Microsoft and Facebook launched a new project called the Core Infrastructure Initiative, There are 12 companies joining this project and will invest $3.6 million to improve the security of open source projects to prevent the next HeartBleed bug. These 12 companies will invest $100,000 each year in next three years to sponsor the development and maintenance of some really important open source projects. This project will be managed by the Linux Foundation which is an independent non-profit organization.
In conclusion, to improve the security of open source projects, we propose a model to manage open source project which is big companies invest money and people and an independent third party manages the daily operation of the project.
