Last March, the White House released a draft policy for requiring federal agencies to share software, with the possibility of requiring federally-funded code to be released as open source. Last month, the Bulgarian government followed suit, and raised the ante by including a bug bounty program in the legislation. Add to this efforts in the UK, India and New Zealand and you can see a trend starting.
Bulgarian Government Mandate
There are obvious security concerns around releasing software used by governments for critical activities. I, for one, don’t really want the code for critical infrastructure and defense under a blanket open source mandate, and Bulgaria has exempted their intelligence agencies from the mandate. Further, they need to be mindful of systems managing the personal information of employees and taxpayers. However, it seems obvious that much of the software managing non-critical data could be useful, in whole or in part, for use by the private sector. If managed properly, the legislation makes sense for a number of reasons.
More open source
Development teams are embracing open source for a good reason. It accelerates development while lowering (not eliminating) costs. The more open source available, the more we all benefit. Assuming the code covered under these policies has genuine utility, it will attract attention from the open source community. Independent developers will build enhancements that will be available to both public and private enterprises.
I’m not arguing for the “many eyes make all bugs shallow” in general. Security eyes are undoubtedly useful, however, and the source of virtually all open source vulnerability disclosures in NVD. Bulgaria has addressed this, however, with their bug bounty program. By paying security researchers (and others) for bugs, they are encouraging responsible disclosure.
Understanding what is being “custom built” can shed light on inside deals where commercial solutions may already exist. Bulgaria is taking this a step further in that all contracts for custom software will be available online for public review.
Taxpayer funds were used to create the code, and making that code available to other federal agencies can reduce waste. Assuming the software meets the needs of several agencies, maintaining a single code base should simplify code maintenance as well.
NASA pioneered efforts to make public technologies they developed in the space program. Technologies such as anti-icing systems, Infrared Ear Thermometers, firefighting gear, and memory foam mattresses have resulted from shared technology. In a world where software integrates into almost everything, access to the government’s building blocks should spur more advances.
I’ll reiterate that these programs must be managed carefully from a security standpoint. But overall, open sourcing software from some of the largest consumers of custom code can help us all.