The project will expand an existing Coverity initiative that already provides Linux developers with regular bug data. "We will take that to the next level and pull together dozens of major open-source projects, and do full analysis of those code bases," Coverity co-founder David Park said.

Commercial software makers commonly use source code analysis tools, either bought or homegrown, to vet their code before releasing a product to market. However, such tools are often too expensive for open-source developers, experts said. Instead, open-source programmers eyeball each other's code or check their own work manually. The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said.

The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said.

"It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"