Wild idea: @mozilla $100 million open-source security project

In light of the #heartbleed bug:

Mozilla could:

  • get $5m from Google
  • $5m from Facebook
  • $5m from Amazon, IBM, Yahoo etc. etc.
  • get $1m each from Fidelity, and BofA and all the banks
  • get $1m each from the major e-commerce sites
  • and from anybody who uses open-source code for their business and really gets hurt by something like heartbleed,

for a total of $100 million a year. Then, set up a totally transparent, international crack organization that reviews and tests all important open-source code for security vulnerabilities. That would make a huge different for future heartbleeds (and if you think there are no others lurking, I have an entire fleet of bridges to sell you :-))

It could be somebody else who does it — like the EFF. But it’s totally consistent with Mozilla’s value of putting the user first, unlike others they know about how to Q&A and secure code, and I think they could attract the right people to do it.

BTW, I don’t think this is about the NSA: if they can find heartbleed, anybody else can find it. And not even the NSA would want that if they thought about this for a second. (hope they do!)

Disclaimer: This is a wild idea only. I do not speak for Mozilla, never have, likely never will, and I have not even run this by anybody at Mozilla. Just thought it would be worth jotting down.