The US government is putting tax dollars behind the effort to hunt down security bugs in open-source code, it has emerged.

Coverity, Symantec and Stanford University are to be paid $1.24 million by the Department of Homeland Security in a three-year program called the "Vulnerability Discovery and Remediation, Open-Source Hardening Project".

The project will see Stanford and Coverity create a tool for automatic scanning of code for bugs, the database of which will be accessible to developers. The motivation for the investment is simply the increased importance of open-source software for the running of critical government systems, and the need to minimise bugs that lead to security issues.

"We're going to make automatic checking deeper and more thorough using the latest research and apply this to the open-source infrastructure to make it more robust," Stanford-based Dawson Engler told CNET.

Open-source projects coming under scrutiny will include Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL.

Symantec’s role will be to provide feedback on the project from the perspective of a commercial software developer. Stanford is reported as receiving $841,000 of the grant, with the remainder split $297,000 to Coverity and $100,000 to Symantec.