Good day. Major technology companies and government agencies held a second meeting on open-source software security in Washington, D.C. on Thursday, following a January gathering organized by the White House.

The aim of the meeting, attendees said, was to flesh out the challenges associated with securing open-source technology. The Open Source Software Foundation and the Linux Foundation, which convened the summit, published a 50-page plan, and a number of companies pledged funding to make it happen.

More on what took place, below, plus Weekend Reading.

NEWSLETTER EXTRA | Open-Source Security

Educating developers on security, dedicating resources for vulnerability response and developing software bills of material were among the key topics discussed at the summit.

While the January meeting on open source was held in the immediate aftermath of the Log4shell vulnerability disclosure, which sent security teams scrambling to patch systems over the holidays and into the new year, this summit was about developing clear plans to tackle issues, attendees said.

“I think it was an opportunity for the industry to come together and say that we can greatly learn from that episode, and now, here are some of the things that we think we can do together to make this much improved going forward. And so I do think it was a significant improvement from the first meeting,” said Jamie Thomas, general manager of systems strategy and development at IBM. 

The plan published today by the Open Source Software Foundation and the Linux Foundation is also clear on a major point: Fixing the security issues with open-source software will take time and money. The plan calls for around $50 million in funding for the first two years, with funding for future years to be determined.

Delivering security certifications and training for open-source developers will likely cost $4.5 million in the first year alone, the plan says. Similarly, ensuring that open-source components are digitally signed is estimated to cost $13 million in the first year. Establishing a team at the OpenSSF which can respond to vulnerabilities and provide support for developers is estimated to cost around $3 million per year.

“We realize that's a meaningful amount. We realize that is an amount that, from some degree, is much more than any open-source developer has, or even most open source projects, but when you compare it to the cost of remediating a major vulnerability like we've seen in the last few years, it’s a drop in the bucket,” said Brian Behlendorf, general manager of OpenSSF, during a press conference held after the meeting.

Much of that funding will be met by the largest companies. Around $30 million has already been pledged by Alphabet, Amazon, Ericsson AB, Intel, Microsoft and VMware, Mr. Behlendorf said.

For others, the meeting was a validation of long-held concerns about the security of open-source software, and a recognition that freely available technology still requires resources to maintain.

Brian Fox, chief technology officer of open-source security company Sonatype Inc. said that while previous efforts to fortify security in this area didn’t have the desired impact, such as those initiated by the Linux Foundation after the Heartbleed vulnerability in 2014, he felt confident lasting change was possible now due to the collective effort on the plan.

“That's the first time that we've attempted to solve it this way. I think that effort will lead to actual concrete actions now, instead of people just coming together and talking about it,” he said.

— James Rundle

Write to the WSJ Pro Cybersecurity Team: Kim S. Nash, James Rundle, Catherine Stupp and David Uberti.

Follow us on Twitter: @knash99, @catstupp and @DavidUberti. 

Contact Enterprise Technology Editor Steve Rosenbush at steven.rosenbush@wsj.com or follow him on Twitter: @Steve_Rosenbush.