May 6th, 2008
Google launches CERT for open source
Google on Tuesday detailed plans for oCERT, a volunteer workforce that will remediate security issues in open source applications.
The move makes a ton of sense. Community driven software can have bugs and plenty of folks to find these vulnerabilities. The problem: There’s no central group to actually fix these flaws.
In Google’s security blog, Will Drewry said:
I’m proud to announce that Google has sponsored participation in oCERT, the open source computer emergency response team. oCERT is a volunteer workforce of security professionals from the open source community with the goal of providing security vulnerability mediation and incident response services to open source projects. It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn’t have a background in security. Reliable contacts for projects, publishers, and vendors will be maintained where possible and used for notification when issues arise and fixes are available for mediated issues. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises.
What oCERT does is give corporations a one-stop open source security repository. That’ll come in handy when navigating the patch cycle. Dana Blankenhorn notes that “Google’s backing of oCERT is a major milestone in the history of open source.”
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
