Open Source software is great, but all projects do not have the same resources, especially when it comes to security. And while the smallest among them may very well find themselves embedded in more popular Free products, source code auditing and quick patching is not always easy for them, if even possible.

That's where oCERT comes into play. Made from volunteer ITsec experts and sponsored, among others, by Google, oCERT wants to be the Computer Emergency Response Team of the Free world. It will keep contact information for many Open Source projects and will act as a link between vulnerability researchers, project developers and the Linux distributions that package their tools. oCERt team will also bring its expertise to developers that do not have the security know-how to fix a specific vulnerability. 

Launched last month, oCERT was founded from Inverse Path's exec team (its Chief Security Engineer and R&D manager, also a member of the Linux Gentoo Security Audit team). Also on-board are two Google security engineers and an Intel engineer who happens to be Linux's Bluetooth stack developer. This core team can count on advices and guidance from Solar Designer (from OpenWall and Jack the Ripper fame) and Dragos Ruiu, from the CanSecWest security conference.

Within its first month of existence, oCERTpublished four alerts, including two that came from its own research. The way the project handled them illustrate how it may be useful to the Open Source community. When oCERT was contacted about a vulnerability in Speex, a smaller Open Source project, its team broadened the scope of research and found several other Free packages using Speex and thus also vulnerable. It then proceeded to contact all the developers in charge, and not just Jean-Marc Valin, Speex lead developer.
On another instance, oCERT identified a new vulnerability in Linux's libpng library. When the official patch was out, oCERT audited it to make sure it indeed plugged all the holes.

While it's very interesting on paper, oCERT will still have to earn its spot under the sun in a field already crowded with organizations. Between national CERTs, well-known private organizations like SANS Institute and several other vertical CERT teams, that's quite a crowded environment to get in, especially from scratch.

Of course, being itself a (kind of) vertical CERT for Open Source might very well help. Especially when the community will need to track all ties between a vulnerable Free tool and other projects, and then contact a myriad of packages maintainers in a hurry.