At Mozilla we were born out of, and remain a part of, the open source and free software movement. Through the Mozilla Open Source Support (MOSS) program, we recognize, celebrate, and support open source projects that contribute to our work and to the health of the Internet.

Since our last update

We have provided a total of $365,000 in support of open source projects through MOSS.

MOSS supports SecureDrop with a quarter of a million dollars

The biggest award went to SecureDrop, a whistleblower submission system used by over 30 news organizations, maintained by the non-profit Freedom of the Press Foundation.

The $250,000 given represents the largest amount we’ve ever provided to an organization since launching the MOSS program. It will support the creation of the next version of SecureDrop, which will be easier to install, easier for journalists to use, and even more secure.

Additional awards

We have also made awards to other projects we believe will advance a free and healthy Internet:

$10,000 to the libjpeg-turbo project, the leading implementation of JPEG compression for photos and similar images;

$25,000 to LLVM, a widely-used collection of technologies for building software;

$30,000 to the LEAP Encryption Access Project, a nonprofit focusing on giving Internet users access to secure communication;

$50,000 to Tokio, a Rust project to bring easy-to-use asynchronous input and output to the language.

We believe in encouraging growth and partnerships with our awardees. Where we can, we look to structure awards in creative ways to try and unlock additional value. Here are two examples of how we did that in this cycle:

The OSVR project is a virtual and augmented reality platform that Mozilla uses in Firefox. They came to us with a proposal to improve their rendering pipeline; we offered to put up half of the money, if they can encourage their partner companies to provide the other half. They have until the end of June 2017 to make that happen, and we hope they succeed.

The Hunspell project maintains the premier open-source spell-checking engine. They proposed to rewrite their software in C++ using a more modern, streaming, embeddable design. We accepted their proposal, but also offered more funds and time to rewrite it in Rust instead. After considering carefully, the Hunspell team opted for the C++ option, but we are happy to have been able to offer them a choice.

Under the Secure Open Source arm of MOSS

We ran a major joint audit on two codebases, one of which is a fork of the other – ntp and ntpsec. ntp is a server implementation of the Network Time Protocol, whose codebase has been under development for 35 years. The ntpsec team forked ntp to pursue a different development methodology, and both versions are widely used. As the name implies, the ntpsec team suggest that their version is or will be more secure. Our auditors did find fewer security flaws in ntpsec than in ntp, but the results were not totally clear-cut.

Security audits have also been performed on the curl HTTP library, the oauth2-server authentication library, and the dovecot IMAP server.

The auditors were extremely impressed with the quality of the dovecot code in particular, writing: “Despite much effort and thoroughly all-encompassing approach, [we] only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase.”

Sometimes, finding nothing is better than finding something.

Applications for “Foundational Technology” and “Mission Partners” remain open, with the next batch deadline being the end of April 2017. Please consider whether a project you know of could benefit from a MOSS award. Encourage them to apply! You can also submit a suggestion for a project which might benefit from an SOS audit.