The Linux Foundation has collaborated with major tech companies for a three-year initiative called the “Core Infrastructure Initiative,” which aims to prop up underfunded open-source projects. First on the list would be OpenSSL, which can be found in millions of Web servers and mobile devices. Though it’s been patched, in early April we learned that it had a flaw in it that’s been named the Heartbleed Bug.
Facebook, Google, Microsoft, Amazon, Cisco, Dell, Fujitsu, IBM, Intel, NetApp, Rackspace, Qualcomm, and VMWa re each pledged $100,000 per year over the next three years. The total funding for the initiative would come to about $3.9 million. While it is unlikely that the whole amount will go to OpenSSL, its newfound funding represents a significant financial jump.
As websites scurried to implement security patches for the Heartbleed Bug, Steve Marquess, the co-founder and president of the OpenSSL Software Foundation, called for more donations for his organization. According to Marquess, the OpenSSL Software Foundation only pulls in about $2,000 a year in donations and can only afford to hire one full-time employee and a handful of part-timers. The group supports itself through support contracts. However, Marquess said that they have never raised more than $1 million in annual funding.
“There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” Marquess said in a blog post published on April 12.
In his address, Marquess also called out his new benefactors, saying: “I’m looking at you, Fortune 1000 companies. The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are.”
It seems Marquess’ rant has struck a nerve. Top tech companies are finally opening their wallets. “Open source software is important to organizations like AWS, which deliver secure Internet experiences and services for customers,” said Steve Schmidt, the chief information security officer for Amazon Web Services, in a press release. “We are pleased to be part of the Core Infrastructure Initiative and to work with the Linux Foundation to foster continued innovation and security in key open source projects that can benefit us all.”
“Open source software makes today’s computing infrastructure possible. Facebook is excited to support these projects and the developers who maintain them. This initiative will help ensure that these core components of internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale,” said Doug Beaver, the engineering director of traffic & edge at Facebook.
The OpenSSL security vulnerability, which plunged the Internet into a state of panic when it was first revealed on April 7, exposed the user information of about 66 percent of the world’s active websites. According to Sucuri Security, about two percent of the top 1 million websites on the Internet remain susceptible to the Heartbleed Bug. If you would like to donate to the Core Infrastructure Initiative, just click here.