heartbleed 100260998 orig

In Heartbleed's wake, tech titans launch fund for crucial open-source projects

When the OpenSSL Heartbleed bug surfaced earlier in April, many people were shocked to discover that one of the most critical pieces of online infrastructure was so poorly supported.

Despite OpenSSL's wide use as a means of securing websites, the OpenSSL Software Foundation had just one full-time employee and received only $2,000 in donations every year.

Arguably, the Heartbleed bug that exposed password and other user data could have been avoided if only OpenSSL had broader financial support. Now, a group of major technology companies is teaming up with the Linux Foundation to do just that.

On Thursday, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation announced the Core Infrastructure Initiative (CII).

As its name suggests, the CII will work together to identify essential open source projects in desperate need of financing. The group aims to provide funds to these projects to allow lead developers to work full-time on the project. CII support will also be used to pay for security audits, hardware and software infrastructure, travel, and other needs.

While the CII will provide the funding, individual projects will continue to operate "under the community norms that have made open source so successful."

The CII hasn't committed to any specific projects yet, but not surprisingly OpenSSL will be the first project considered for funding. Despite any official announcement of support, it would be shocking if OpenSSL wasn't funded since the Heartbleed bug is what prompted the CII in the first place.  

The Linux Foundation will administer the funds for the CII in cooperation with a steering committee that includes backers of the CII as well as "key open source developers and other industry stakeholders."

The Linux Foundation didn't say how much money was involved in the CII, but a report from Ars Technica says the group has committed to at least a three-year initiative and $3.6 million in funding. That works out to about $100,000 per year from each company—a funding level that isn't even a rounding error for most of these corporations, but a massive infusion for open-source projects.

Hopefully, the CII will prove its value over the next three years and convince the member companies to commit to the initiative for the long term, as well as convince other companies to join the cause.

Subscribe to the Security Watch Newsletter

Comments