Sutures for Future Heartbleeds

The Heartbleed crisis that resulted from a security flaw in OpenSSL cryptographic software library (see my blog post on April 15, 2014)  raised questions about the funding and viability of popular of open source projects.  Despite the importance of OpenSSL to Internet security, the project was operating on limited budget and with minimal development resources, which may have contributed to the accidental introduction of the bug.  

In response, on April 24, 2014, the Linux Foundation announced a three-year multi-million dollar “Core Infrastructure Initiative”.  The Initiative will help “technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.”  Industry giants Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware are the founding members of the Initiative and have each pledged at least $100,000 a year; the total initial funding is around $3.9 million dollars, according to Ars Technica.  The Initiative’s funds will be administered by the Linux Foundation and “backers of the project as well as key open source developers and other industry stakeholders.”

While the money will go to various open source projects, the first project under consideration to receive funds will be OpenSSL, which may receive “fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”