"Open source is more secure." How many times have we said or heard that? Too many to count, really. But PCWorld.com's Neil McAllister points something out in an article published in The Washington Post:
[O]pen source's supposed security advantage assumes three things: 1.) Someone is actually looking at the code; 2.) Security vulnerabilities are getting reported and fixed; and 3.) Information about those fixes makes its way to Linux distributors and other software vendors, who apply the fixes to their products. But what if those things aren't happening?
A new group of volunteers has organized to help open source projects ensure that those things do happen. oCERT, short for open source computer emergency response team, aims to "coordinate communication" regarding open source security vulnerabilities and fixes between those who publish the software and those who use it, Channel Register reports. A group of corporate sponsors, including Google, is underwriting the effort.
In the company's security blog, Google's Will Drewry says oCERT will provide:
security vulnerability mediation and incident response services to open source projects. It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn't have a background in security. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises.