Everyone uses OpenSSL, but nobody's willing to fix it — except the Linux Foundation

If you remember the recent Heartbleed outbreak, you probably also remember the sheer panic it induced in the tech industry and users of many popular websites.

The Linux Foundation subsequently created the Core Infrastructure Initiative to help prevent further outbreaks, and today it’s announced two new backers and the first projects getting funding.

As a refresher, a bug named Heartbleed was discovered in the popular encryption library OpenSSL last month. Essentially, the bug meant that attackers could tune into communications between those websites and browsers. OpenSSL is an open-source project, meaning that the Linux Foundation and others in the community are able to work collaboratively to improve its security.

The first projects the CII will fund are Network Time Protocol, OpenSSH, OpenSSL, and the Open Crypto Audit Project (OCAP). OpenSSL will receive enough funds to get two full-time core developers.

The OCAP will get funding to conduct a security audit of the OpenSSL code base, presumably courtesy of Heartbleed which, it turned out, had been around for more than two years before Neel Mehta of Google Security and Codenomicon engineers independently discovered it.

The audit’s high priority is likely due to this fact. OpenSSL is a very popular library, and while someone has to step in and make sure no other bugs are lurking in the shadows, leaving it to a private entity (like a company) would be counter to the idea of open source, hence the foundation’s initiative to help.

“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Linux Foundation executive director Jim Zemlin in an official statement.

“CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds,” he said.

Adobe, Bloomberg, HP, Huawei, and Salesforce are also joining the CII’s current backers and founders which include Amazon Web Services, Cisco, Dell, Facebook, Google, Microsoft, Intel, and a few others.

The CII will continue to review and select critical open source projects in need of funding and resources.