The Linux Foundation’s Core Infrastructure Initiative (CII) has launched The Census Project.
Census Project is a new programme to analyse popular open source projects to identify which ones are:
a) critical to Internet infrastructure
b) most in need of additional support
c) most in need of additional funding.
A working example
The Heartbleed vulnerability in the open source software (OSS) program OpenSSL had widespread impact and serious ramifications.
It led to the formation of the multi-million dollar Core Infrastructure Initiative backed by The Linux Foundation and industry leaders like Amazon Web Services, Facebook, Google, IBM and Microsoft.
The Census Project expands on the CII’s efforts to collaboratively identify and fund critical open source projects in need of assistance.
Project risk score analysis
It automates the collection and analysis of data on different open source projects, ultimately creating a risk score for each project based on the results.
Projects with a higher ranking are especially in need of reinforcements and funding; and, as a result, CII will consider such projects priority candidates for funding. A high score means that the project may not be getting the attention that it deserves and that it merits further investigation.
“Measuring software security is an ongoing struggle that’s notoriously difficult given missing or messy data,” said Jim Zemlin, executive director at The Linux Foundation.
“There’s no perfect set of metrics to guarantee that software is secure or not. The Census Project brings the power of the open source collaboration to help fill this massive gap, which will provide a useful barometer for assessing software from a security point of view. We look forward to feedback on the effort in order to improve the census itself and subsequently the software that we all depend on for our privacy and security,” he added.
With full source and data available on GitHub, developers and security experts are invited to participate in The Census Project, from experimenting with different metrics, providing corrected data, proposing new projects to include in the evaluation, and suggesting alternative formulas for combining the data.
Anyone can issue a pull request with suggested changes from the most successful alternatives.