• Reuters


The world’s biggest technology companies are donating millions of dollars to fund improvements in open source programs like OpenSSL, the software whose “Heartbleed” bug has sent the computer industry into turmoil.

Amazon, Cisco Systems, Facebook, Google, IBM, Intel and Microsoft are among a dozen companies that have agreed to be founding members of a group known as Core Infrastructure Initiative. Each will donate $300,000 to the venture, which is recruiting more backers among technology companies as well as the financial services sector.

Other early supporters are Dell, Fujitsu, NetApp, Rackspace Hosting and VMware.

The industry is stepping up after the group of developers who volunteer to maintain OpenSSL revealed that they had received donations averaging only about $2,000 a year to support the project, whose code is used to secure two-thirds of the world’s websites and is incorporated into products from many of the world’s most profitable technology companies.

“I think we get complacent as an industry when we see something as working well or working ‘well enough.’ We sort of see it as a maintenance job,” said Chris DiBona, director of open source and engineering with Google. “We have to be a bit more vigilant.”

The Heartbleed bug has likely cost businesses tens of millions of dollars in lost productivity while updating systems with safe versions of OpenSSL, according to security experts. Also, it has already resulted in at least one major cyberattack: the theft of data from Canada’s tax authority.

The nonprofit Linux Foundation, which promotes development of the open-source Linux operating system, organized the group and announced its formation on Thursday.

It will support development of OpenSSL as well as other pieces of open-source software that make up critical parts of the world’s technology infrastructure but whose programmers do not necessarily have adequate funding, said Jim Zemlin, executive director of the Linux Foundation.

Heartbleed is a major bug in OpenSSL encryption software, which is widely used to secure websites and technology products, including mobile phones, data-center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

Open-source software is free. The term “open source” refers to the fact that its source code, from which finished programs are created, is available to anyone to view and improve. It often is developed by groups spread across the globe who seek community involvement to improve the code. Companies are typically free to incorporate such code in their products without paying any fees to the volunteer developers who maintain the code.

Some types of open-source software, such as Linux and the MySQL database, have versions that are sold by companies such as Red Hat and Oracle, which offer premium services such as updates and help-desk support. Most versions are available for free, as are most of the programs available for Linux. Many of the best programs are available on other operating systems as well, such as the Firefox web browser, the GIMP image editing program and the OpenOffice/LibreOffice office suites.

The Core Infrastructure Initiative expects to offer one or more of the small crew of OpenSSL developers full-time jobs working on the project through fellowships, Zemlin said in an interview.

It will also identify other projects like OpenSSL that it believes are equally critical to the infrastructure of the Internet and merit support.

Eben Moglen, a Columbia Law School professor and attorney who represents many open-source software projects, said he believes there are six to 10 such essential open-source software projects. “The process of keeping software secure is constant. It never stops,” said Moglen, whose clients include the group of OpenSSL developers.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.