After the Open Source Security Summit hosted by the White House on Thursday, Local Time, Google called on the government to become more involved in identifying and securing critical open source software projects. In a blog post published shortly after the summit, Kent Walker, president and chief legal officer of global affairs at Google and Alphabet, said there was a need for collaboration between governments and the private sector for open source funding and management.
"We need public-private partnerships to establish a list of critical open source projects —critical in terms of their impact and importance—to help prioritize and allocate resources for the most basic security assessments and improvements," Walker wrote.
The blog post also calls for increased public and private investment to keep the open source ecosystem secure, especially when software is used for infrastructure projects. In most cases, funding and review of such projects is carried out by the private sector.
At press time, the White House had not responded to requests for comment.
Walker writes: "Open source software code is open to the public and can be used, modified, or inspected by anyone ... That's why it has been adopted by many aspects of critical infrastructure and national security systems. But there is no official resource allocation, and there are no formal requirements or standards to maintain the security of that critical code. In fact, most of the work to maintain and strengthen open source security, including fixing known vulnerabilities, is done on an ad hoc, voluntary basis."
Funding and resource shortages for open source development have long been raised as a security issue, and after discovering a serious vulnerability in the Log4j Java library, this issue once again became a key issue that quickly became the biggest cybersecurity vulnerability in recent years. The Log4j library is also mainly developed and maintained by unpaid labor.
When an open source project does receive funding, it usually comes from private sources, such as individual donations or sponsorships from tech companies. Google recently offered $1 million for the Secure Open Source (SOS) Incentive Program, a pilot program being implemented by the Linux Foundation to financially compensate developers who work to improve the security of open source projects.
![The bigger problem behind the Log4j vulnerability – the source of funding for open source projects[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)