And in a good way.
They’re paying for open source software to be scanned for security bugs, and then fixing them.
All the software scrutinized was found to have significant numbers of security flaws, Coverity said on Wednesday. Since 2006 the project has helped fix 7,826 open source flaws in 250 projects, out of 50 million lines of code scanned, the company said.
They find, on average, one security flaw per 1,000 lines of code. And when the flaw is fixed, everyone’s security improves.
There is some whining about how this is just bashing the OSS community, but look at the results:
The Free Software Foundation’s glibc or Gnu C Library has fixed 83 bugs and left zero unfixed. The Gnu C Library is used by many open source programmers working with Linux. It is one of the few open source projects to clock in at a zero existing rate of defects for its 588,931 lines of code.
[…]
Linux came in with far fewer defects than average as did a number of other open source projects. The version 2.6 of the Linux kernel had a security bug rate of .127 per thousand lines of code. The kernel scan covered 3,639,322 lines of code. As exposures were identified by repeated scans, 452 defects have been fixed by kernel developers; 48 have been verified but not yet fixed; another 413 remain to be verified and fixed
[From Open Source Code Contains Security Holes — Open Source — InformationWeek]