Funding for open source projects that constitute critical elements of the global information infrastructure has always been neglected until recently when the technology behemoths of today came together to provide funds and support for such open source projects. Companies like Google, Microsoft, Intel, Facebook, Cisco and many others formed the “Core Infrastructure Initiative” to support this cause through the medium of the Linux Foundation. This initiative aims to search, identify and fund open source projects that are already used extensively in core computing and internet functions.
This doesn’t come as a surprise considering the internet is currently recuperating from the Heartbleed vulnerability. This crisis is thought to be the actual reason that pushed the launch of this initiative. Basically, the Heartbleed Bug is a serious vulnerability in the popular OpenSSL (Secure Socket Layer) cryptographic software library’s implementation of the TLD/DTLS (transport layer security protocols) heartbeat extension. If this vulnerability is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. According to Heartbleed.
com, “this vulnerability allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software library. Doing so, compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users”.
The only way to stop this leak or fix this vulnerability was to use the newly released fixed version of the OpenSSL software library which has now been deployed and hence the OpenSSL library will be among the first projects that will be supported by the Core Infrastructure Initiative. As the vulnerability impacted almost every aspect of current technology, the trust in SSL which forms the basic core fibres of the internet was disconcerted. The presence of such diverse members from the industry is exactly what an initiative like this needs. Steve Lipner, partner director of software at Microsoft was quoted saying: “Security is an industry-wide concern requiring industrywide collaboration”. While Chris DiBona, director of engineering for open source at Google added: “We believe that an open-source approach to online security will ensure that code is constantly improving, making the web a safer place for us all”.
As for whom and how the funds will be allotted, will be the look-out of Linux Foundation’s group of founding members, open source developers and industry stakeholders. The funds generated through this initiative will also go towards security audits where they’re needed the most that is for fixing flaws found in widely used segments of code. It isn’t the first time that initiatives such as this one have been implemented. Previously there have been many programs that offered a reward for finding and fixing security bugs online. Reward based programs encourage security experts to devote their time and focus on doing something for the greater good which benefits the community as a whole and provides the developers financial support.
The Linux Foundation also highlighted that this initiative is not interested in funding “closed-sourcing” projects. Supporting developers who work on open source projects under the community guidelines is what is the need of the hour and the Core Infrastructure Initiative will see to it. A recent study by Coverity Open Scan has found that the quality of open source code is much better than that of proprietary code. This is precisely why it becomes extremely necessary to protect and support the interests and projects of people involved in development of applications that are open source.
If you’re interested in this cause and want to hop in on the bandwagon, you can join this initiative or donate funds here: http://dgit.in/CII_Donate.
