Throwing some of its not-inconsiderable weight behind open source software, Google has joined oCert, or the open source computer emergency response team. oCert is a volunteer organisation of security professionals that aims to co-ordinate responses to security threats in the open source software world, much like the national Cert bodies such as US-Cert.

One of the problems facing open source security is that the OSS developer community is hugely fragmented. Despite having huge numbers of developers and users, many of which are finding bugs, there is no single central body co-ordinating the response these flaws.

The other problem facing the OSS developer community is lack of buy-in from corporates and enterprises. Having a single CERT body, particularly one backed by the likes of Google, responding to critical issues will gives these organisations access to a single repository of known issues which will go some ways to easing their fears about using open source software.

In a posting on the Google online security blog, Will Drewry writes:

I’m proud to announce that Google has sponsored participation in oCERT, the open source computer emergency response team. oCERT is a volunteer workforce of security professionals from the open source community with the goal of providing security vulnerability mediation and incident response services to open source projects. It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn’t have a background in security. Reliable contacts for projects, publishers, and vendors will be maintained where possible and used for notification when issues arise and fixes are available for mediated issues. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises.

Google is a long-time user of open source software using Linux, Apache and MySQL extensively throughout its systems but is often criticised for not releasing changes to the software back into the community. Backing oCert may go some way to appeasing its critics.