Open source security and commercial involvments

While picking up what I've missed during the weekend, when I were snowboarding in the Swedish "alps" (well, more like snow covered hills, actually), I came across Bruce Schneiers words on the US Department of Defense, DoD, and their plans to fund popular Open Source projects with approximately 1.3 million dollars lapping over the the three upcoming years.

According to an article in eWeek, the money will fund source code auditing of projects such as KDE (who I'm a dedicated user of), Apache, the Linux kernel and also Free and OpenBSD among others. The work will be performed by the company Coverity Inc, led and supervised by Standford University. One aspect that I find interesting and impressive is Symantecs involvement, where they will provide advices in their area of expertise.

Commercial forces are necessary for open source projects to be taken seriously. Just look at Apache, Mysql, Snort, Nessus, Ethereal amongst others, they all offer commercial services related to the products. This is another example, where companies can be guaranteed, more or less, that someone with necessary expertise actually is auditing the code for security related vulnerabilies - Something that otherwise can be questioned.

This discussion is related to several previous posts, like the WMF-related ones. I want vulnerabilities to be discovered, and when they are, published publically so that other defensive mechanisms can be used in order to temporarily "patch" the problem. I find undiscovered bugs and unpublished vulnerabilites a bigger problem than the lack of patches itself.