Tech Companies Join Forces to Prevent Another Heartbleed

More than a dozen tech companies, including Facebook, Google, Microsoft, Amazon and IBM, have joined forces to try to prevent another Heartbleed-like security breach.

Heartbleed is one of the biggest and widespread vulnerabilities in the history of the modern web. The problem stemmed from an errant line of code in the open-source project OpenSSL. About 66% of web servers rely on OpenSSL to encrypt data and keep things secure.

The bug in OpenSSL meant that the secret-encryption keys — which are what ensures that your passwords and other data are securely transmitted — could be stolen from a web server without anyone knowing. The bug existed in OpenSSL for more than two years before being publicly patched and announced.

The program, dubbed the Core Infrastructure Initiative, is an an offshoot of Linux Foundation and designed to “fund open source projects that are in the critical path for core computing functions,” according to a description on its website. The group will work with “an advisory board of esteemed open source developers to identify and fund open source projects in need.”

Each of the tech companies has agreed to commit $100,000 per year for the next three years for the initiative. That brings the total to over $4 million (at the time of this writing).

The first project targeted by the foundation is OpenSSL. OpenSSL, the open-source program at the center of the Heartbleed bug, is used by 66% of web servers and can be found in thousands of hardware devices and client-side applications. However, the project is severely underfunded; it raised only $2,000 in donations in 2013 and relying on contract-work to fund ongoing development.

Last week, we wrote about the need for larger corporations to give back to projects such as OpenSSL.

I do hope that the largest companies that benefit from OpenSSL — especially those who use the software in their commercial hardware products and security consoles — will see Heartbleed as a wake-up call. Not to abandon OpenSSL and move to a paid solution — but to do a better job giving back to the project and community.

Giving back to the project and community is exactly the aim of the core Infrastructure Initiative. Jim Zemlin, the executive director for the Linux Foundation, said that this program is not meant to change the current operating or governance structure of the open-source projects, but rather to offer those projects resources so that they can continue to grow and evolve.

“We want to allow the true artists — like the OpenSSL developers — focus on their craft full-time,” Zemlin said. The support from the major organizations, which includes Facebook, HP, Microsoft, Google, Dell, Cisco, IBM, VMWare, Qualcomm, Rackspace, Amazon Web Services, Fujitsu and IBM will not be an attempt by those groups to control the open-source projects.

Zemlin and the Linux Foundation have a good track record for sponsoring open-source projects. The foundation was formed in 2000 as a way to sponsor the full-time work of Linux creator Linus Torvalds and his work on the Linux kernel. Many of the same companies that are contributing to the Core Infrastructure Initiative also sponsor the Linux kernel.

Zemlin also remarked that getting companies onboard to join the initiative was remarkably easy.

“I was on the phone with our partners on Sunday while simultaneously building the Millennium

Falcon LEGO set with my daughter,” he said. 

“The first reaction from every partner was an immediate ‘of course — what can we do to help.””

“The first reaction from every partner was an immediate ‘of course — what can we do to help.””

“I only wish we had gone forward with that idea then rather than waiting,” Zemlin said.

Have something to add to this story? Share it in the comments.

When the Linux kernel itself experienced a data breach a few years ago, some members of the foundation discussed the idea of finding other projects important to the infrastructure of the web and making sure they had enough financial and logistical support.

Author: Christina Warren

Citing Sources: