Dozens of tech companies including Facebook, Google, Amazon, IBM and Microsoft have formed the Core Infrastructure Initiative to prevent another Heartbleed bug, a serious vulnerability in the widely-used OpenSSL and a major threat to cybersecurity.
The companies are making an initial commitment of $100,000 per year for the next three years (for a total of over $4 million). An offshoot of Linux Foundation, the initiative will “fund open-source projects that are in the critical path for core computing functions.”
The steering group will work with an advisory board of esteemed open source developers to identify and fund open source projects in need. Support from the initiative can include funding for fellowships for key developers to work full time on the open-source project, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
OpenSSL, the open-source program at the center of the Heartbleed bug, is used by 66 percent of web servers and thousands of client-side applications and devices. As reported by Mashable, the OpenSSL project has thus far been “severely underfunded; it raised only $2,000 in donations in 2013 and relying on contract work to fund ongoing development.”
Open source is gaining momentum because its private, proprietary code produces stronger software. Chris DiBona, director of open source at Google, told NPR that the software developer community should be paying better attention to the quality of security. According to NPR:
Open-source software is core to the business of many high-tech firms. But for years, they’ve been using it for free. OpenSSL — the code that got hit by the Heartbleed bug — is used by the majority of websites to send encrypted data safely between users and servers. But Google and others had put zero dollars into the maintenance and upkeep of the software.
The present goal is to “root out these problems before they become problems of the scale of Heartbleed and other holes that are probably lurking out there in the software we all depend on,” said DiBona.
When executive director of the Linux Foundation, Jim Zemlin, called on tech companies to support the initiative, he was met with enthusiasm and long-term commitment. Zemlin told NPR that the foundation will “make sure the money goes to the collective good, and not just one company’s bottom line.”