Heartbleed: OpenSSL Gets Much-Needed Funding Thanks to Linux Core Infrastructure Initiative
After the Heart Bleed bug exposed a major vulnerability, there has been a renewed interest in internet security. Heartbleed is a security bug affecting the open-source OpenSSL. The flaw was deemed catastrophic by many important observers.
“The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Since the bug was discovered, around April 9th 2014, OpenSSL was immediately fixed and a lot of the bug’s potential danger was neutralized. Almost everyone we know changed their passwords, and opted for more complicated mixes of letters, numbers, and more.
This vulnerability of historical proportions was largely explained by OpenSSL’s dire lack of funding. Yearly, the foundation in charge of raising funds for this open source typically receive $2000 in funding and has only one full time employee working on the code.
Steve Marquess, co-founder and president of the OpenSSL Foundation, blogged that the project is mostly funded by “work-for-hire” contracts.
This contrasts with a larger Open Source project, the Linux Foundation, which funds the largest operating system that fuels on collaborative innovation. Companies that back the Foundation help themselves and others benefit from the innovation as well.
The Linux Foundation is supported by some of the largest tech corporations, such as Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, and Microsoft. When it approached them to buff up the security infrastructure, they were all on board.
“Before I could even get my last word out most folks were like, ‘absolutely,’” Linux Foundation Executive Director Jim Zemlin told Ars Tecnica. He adds: “We should have done this three years ago to be honest.”
The companies have pledged $3.9 million for the Core Infrastructure Initiative, an effort to help under-funded open source projects, with an emphasis on the crucial OpenSSL protocol. Even if it receives a fraction of that money, it will still be a huge improvement from previous years, which in turn will help solidify the Internet’s security infrastructure. Donations for the OpenSSL have mounted to $9 000 since the bug was discovered.
Inspired by the Heartbleed bug, the Core Infrastructure Initiative (CII) can be funded by anyone, at this link. There will be no strings attached for developers, and CII vows to respect community norms, which is crucial for these projects to succeed.
Zemlin took to his blog to address where the funding will go.
“We will depend on the developers from the open source community and experts from their respective fields (security as one example) to inform and guide members on where funding is needed most. This is not unlike the neutral framework we’ve had in place for more than a decade to support Linux and that respects the community norms that make open source successful.”