Prompted by the Heartbleed bug, a dozen of the biggest tech companies in the world have pledged millions in future funding to critical open source software projects, with the OpenSSL Project first in line.
Announced by the Linux Foundation today, the Core Infrastructure Initiative is meant to provide funding and other support for open source software projects. Each of the founding members of the group, which includes Amazon, Cisco, Facebook, Google, Intel and Microsoft, will donate $300,000 to the project initially, totaling $3.6 million in assistance.
Linux Foundation Executive Director Jim Zemlin said in a statement that OpenSSL will be the first project considered for funding, based on the criticality of the widespread, open source encryption software and the discovery of the Heartbleed vulnerability within it.
"We will now be able to support additional developers and maintainers to work full time [in] supporting other essential open source projects," Zemlin said. "We are thankful for these industry leaders' commitment to ensuring the continued growth and reliability of critical open source projects, such as OpenSSL."
The Heartbleed OpenSSL vulnerability caused ripples around the Internet when it was first exposed publicly more than two weeks ago. OpenSSL underpins the encryption used for the transmission of data across the Internet, but Heartbleed, a simple flaw in the handling of the heartbeats extension, potentially exposed that sensitive data, including private security certificates and user credentials. Even certain Android devices may have been vulnerable, thanks to the OpenSSL bug.
Despite the critical role OpenSSL plays in Internet security, the funding for the OpenSSL Project was limited. According to a blog post by OpenSSL Software Foundation co-founder Steve Marquess, the project received about $2,000 per year in donations, as well as sales revenue from commercial software support contracts and consulting. In the five years since the creation of the OpenSSL Software Foundation, the legal and fundraising arm of the OpenSSL Project, the organization had never taken in more than $1 million in gross revenues annually.
Marquess indicated that OpenSSL had received about $9,000 in donations since the announcement of Heartbleed, though much like other open source software projects, the lack of funding for OpenSSL had caused issues, including staff shortages.
"These guys don't work on OpenSSL for money. They don't do it for fame. Who outside of geek circles ever heard of them or OpenSSL until 'Heartbleed' hit the news? They do it out of pride in craftsmanship and the responsibility for something they believe in," Marquess said. "There should be at least a half dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you're a corporate or government decision maker in a position to do something about it, give it some thought. Please."