There are different types of funding provided by Mozilla. We participated in the Secure Open Source (SOS) Fund and that was pretty straightforward. Mozilla pays a security firm to audit an open source codebase and then report their findings to the authors. There is little to argue over compensation-wise.
Mozilla plays a small but valuable role in shepherding fixes that assists any team unprepared to deal with such an audit report. I think having Mozilla broker the conversation helps with framing the report too: it communicates that the project is important enough to warrant such an interaction and that this was done to help, whereas I think that communication directly from a security firm is more typically viewed with suspicion or denial.
Hypothetically, the target of the assessment not being paid to fix the discovered issues could present a problem. I have never seen compensation to fix security bugs in practice. In some ways, it feels wrong since the compensation might go up based on the number or severity of bugs found, in essence a reward for insecure code. If you're maintaining a critically important project, security fixes seem like the cost of entry, not something that needs an extra push.
In my opinion, it is better to earmark funds to developers for strategic improvements anyway (eg. sandboxing, verification, privilege separation, etc). The Foundational Technology Fund from Mozilla requires a "clear and current project goal" [1], so if they funded a security improvement it looks like it would follow this approach [2].
In our experience, working with zlib was a pleasure. They fixed nearly all of our issues before we even noticed and we had a detailed, technical discussion about one of them. I credit Gervase at Mozilla for assisting with that and I would certainly work with the whole team there again.
Mozilla plays a small but valuable role in shepherding fixes that assists any team unprepared to deal with such an audit report. I think having Mozilla broker the conversation helps with framing the report too: it communicates that the project is important enough to warrant such an interaction and that this was done to help, whereas I think that communication directly from a security firm is more typically viewed with suspicion or denial.
Hypothetically, the target of the assessment not being paid to fix the discovered issues could present a problem. I have never seen compensation to fix security bugs in practice. In some ways, it feels wrong since the compensation might go up based on the number or severity of bugs found, in essence a reward for insecure code. If you're maintaining a critically important project, security fixes seem like the cost of entry, not something that needs an extra push.
In my opinion, it is better to earmark funds to developers for strategic improvements anyway (eg. sandboxing, verification, privilege separation, etc). The Foundational Technology Fund from Mozilla requires a "clear and current project goal" [1], so if they funded a security improvement it looks like it would follow this approach [2].
In our experience, working with zlib was a pleasure. They fixed nearly all of our issues before we even noticed and we had a detailed, technical discussion about one of them. I credit Gervase at Mozilla for assisting with that and I would certainly work with the whole team there again.
[1] https://wiki.mozilla.org/MOSS/Foundational_Technology#Projec...
[2] https://blog.mozilla.org/blog/2016/06/22/mozilla-awards-3850...