In light of the #heartbleed bug:
- get $5m from Google
- $5m from Facebook
- $5m from Amazon, IBM, Yahoo etc. etc.
- get $1m each from Fidelity, and BofA and all the banks
- get $1m each from the major e-commerce sites
- and from anybody who uses open-source code for their business and really gets hurt by something like heartbleed,
for a total of $100 million a year. Then, set up a totally transparent, international crack organization that reviews and tests all important open-source code for security vulnerabilities. That would make a huge different for future heartbleeds (and if you think there are no others lurking, I have an entire fleet of bridges to sell you :-))
It could be somebody else who does it — like the EFF. But it’s totally consistent with Mozilla’s value of putting the user first, unlike others they know about how to Q&A and secure code, and I think they could attract the right people to do it.
BTW, I don’t think this is about the NSA: if they can find heartbleed, anybody else can find it. And not even the NSA would want that if they thought about this for a second. (hope they do!)
Disclaimer: This is a wild idea only. I do not speak for Mozilla, never have, likely never will, and I have not even run this by anybody at Mozilla. Just thought it would be worth jotting down.