After a meeting with U.S. President Joe Biden a few weeks ago, Google announced that it is pledging $100 million towards improving security in open-source projects. Today, it has revealed that it is partnering with the Open Source Technology Improvement Fund (OSTIF) to do just that. Together, the two entities will launch the Managed Audit Program (MAP). Through this initiative, they will increase the depth of security reviews and audits of open-source projects that are widely used by people all over the world.
For now, Google has committed to manage security priorities and help fix flaws in eight open-source projects. These are:
- Git
- Lodash
- Laravel
- Slf4j
- Jackson-core
- Jackson-databind
- Httpcomponents-core
- Httpcomponents-client
Commenting on the partnership, OSTIF had the following to say:
We would like to thank the Google Open Source Security Team for helping us scale our impact to not only find bugs but also fix issues across the open-source ecosystem. From here, we hope to significantly grow operations to support hundreds of projects in the coming few years. To reach this goal, we will need support from the communities that rely on this infrastructure, and improve our data to target the best projects for our work. In the end, we believe these combined efforts will lead to a safer open source environment for everyone.
It is important to note that the initial list of MAP projects has 24 items, and they contain notable entries like Electron, React Native, Rails, Joomla, and Angular too. However, they will likely be included in subsequent rounds of MAP as funding for them has not been secured yet.