The team behind the Caddy secure-by-default webserver have written a blog post on their experience with MOSS:
The MOSS program kickstarted a new era for Caddy: turning it from a fairly casual (but promising!) open source project into something that is growing more than we would have hoped otherwise. Caddy is seeing more contributions, community engagement, and development than it ever has before! Our experience with MOSS was positive, and we believe in Mozilla’s mission. If you do too, consider submitting your project to MOSS and help make the Internet a better place.
Always nice to find out one’s work makes a difference. :-)
We are starting to ask MOSS project awardees to write an end-of-award report detailing what happened. Here’s one written a few months ago by the Mio project (Carl Lerche).
Secure Open Source is a project, stewarded by Mozilla, which provides manual source code audits for key pieces of open source software. Recently, we had a trusted firm of auditors, Cure53, examine the dovecot IMAP server software, which runs something like two thirds of all IMAP servers worldwide. (IMAP is the preferred modern protocol for accessing an email store.)
The big news is that they found… nothing. Well, nearly nothing. They managed to scrape up 3 “vulnerabilities” of Low severity.
Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.
Now, if we didn’t trust our auditors and they came back empty handed, we might suspect them of napping on the job. But we do, and so this sort of result, while seemingly a “failure” or a “waste of money”, is the sort of thing we’d like to see more of! We will know Secure Open Source, and other programs to improve the security of FLOSS code, are having an impact when more and more security audits come back with this sort of result. So well done to the dovecot maintainers; may they be the first of many.
When we opened our web form to allow people to make suggestions for open source projects that might benefit from a Secure Open Source audit, some joker submitted an entry as follows:
- Project Name: Donald J. Trump for President
- Project Website: https://www.donaldjtrump.com/
- Project Description: Make America great again
- What is the maintenance status of the project? Look at the polls, we are winning!
- Has the project ever been audited before? Its under audit all the time, every year I get audited. Isn’t that unfair? My business friends never get audited.
Ha, ha. But it turns out it might have been a good idea to take the submission more seriously…
If you know of an open source project (as opposed to a presidential campaign) which meets our criteria and might benefit from a security audit, let us know.