metaphorista
commented
8 years ago Additional detail on the necessary funding mechanism I have a two-fold response. The most important piece is that the direct recipient of most of the funds spent through this isn't actually the open source org, but rather a professional for-profit security firm who we've contracted to do an audit of the 3rd party OS developer's codebase.
I said most of the funds, because a component of the program is also supporting remediation work, which is often done by the developer directly. This is more likely to be an individual than a NGO, precisely because we are seeking to fill a need in the space, which means targeting the well-maintained projects that don't have institutional support behind them (because if they did, they should pay for their own audits!). So it's likely a responsible individual, since we don't want to throw money away on a poorly maintained repo, but it is generally an individual.
We could potentially identify a pass through NGO who would handle this for us, possibly without taking a cut, as a partner in the project who would instead receive reputational benefit. But if it's possible to design these such that they're direct transfers to the intended recipients, that's the optimal solution with the fewest procedural delays between completion of the work and payment. Both types of transactions are IMO professional services being done at our direction and under our control, if that helps at all.
MoFo as funding recipient for the Secure Open Source fund https://docs.google.com/document/d/10Mqw81MnovyT2GOz0crZ0T0HnNDdeYQm6NSdXCas_fM/edit
There's already $150K in the pot, we'd like to offer a matching or more opportunity Timeline - Chris would love to be able to announce a sponsorship arrangement at the work week in London interested funders - Google Hewlett MacArthur