oCERT is a newly formed project that will help handle security issues centered around open source projects. Sponsored by Google, Inverse Path, and Open Source Lab, the project will work similar to other well-known Computer Emergency Response Team (CERT) organizations around the world.
A description on the project's Web site says that the project will help all open source project teams, both large and small, to help remediate security problems to avoid potential ripple effects. Such effects can occur since one open source project might bundle applications from other projects, as is the case, for example, with open source operating systems. The project will also aid with security vulnerability research and assessment.
Already the team has reported its first vulnerability. At the end of March an advisory was issued regarding memory corruption in the popular GNU Privacy Guard (GnuPG) application - an open source implementation of OpenPGP encryption. The vulnerability was discovered by Andrea Barisani, oCERT's founder & project coordinator.
Other oCERT team members include Will Drewry and Tavis Ormandy of Google's security team, Rob Holland of Inverse Path, and Marcel Holtmann of Intel.
Membership is open to anyone that deals with open source, including developers and third-party close-source developers whose applications might affect open source packages. Current public members include the teams from Annvix, Gentoo, Mandriva, Nmap, OpenBSD, OpenSSH, and Open Source Lab.
The public at large can submit incidents and vulnerability reports at the oCERT Web site.
