After the dust had started to settle in the wake of the OpenSSL Heartbleed vulnerability earlier this month, one of the common sentiments that emerged was that the small group developing and maintaining the software needed some help. And money. And resources. But mostly money. Now, the OpenSSL Foundation, along with a number of other open source projects, will be getting some much-needed help from some of the largest tech companies in the industry.
A new consortium, known as the Core Infrastructure Initiative and comprising The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and several other large vendors, is putting together a multimillion dollar fund that will be available to help fund various open source projects that are vital to the Web’s security and stability. OpenSSL is the first project under consideration to receive funds.
The money flowing from the Core Infrastructure Initiative is meant to help open source projects, which often are small and run by volunteers or part-time developers, fund full-time developers, as well as security audits and other key initiatives.
“Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone’s interest,” said Professor Eben Moglen of Columbia Law School, Founding Director of the Software Freedom Law Center. “The Linux Foundation, and the companies joining this Initiative, are enabling these dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all. This is business and community collaboration in the public interest, and we should all be grateful to The Linux Foundation for making it happen.”
And the Heartbleed vulnerability highlighted the importance these projects have and the problem that their lack of resources can present. OpenSSL, for example, is run by volunteers and the project often only gets a few thousand dollars in donations each year. The money from the CII will allow these projects to dedicate full-time resources to development, testing and other tasks.
“Security is an industry-wide concern requiring industry-wide collaboration. The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services,” said Steve Lipner, partner director of software security at Microsoft.