The Linux Foundation has announced that it will commit funds for a thorough audit of the embattled OpenSSL code base as well as underwrite the salaries for two full-time developers to work on the service’s cryptographic library as part of their Core Infrastructure Initiative (CII).
OpenSSL is a free, open source offering available for use by anyone, and is employed by organizations from the Fortune 500 down to small businesses, but the code itself was developed by volunteers, and the organization does not have the funds to conduct thorough code reviews and testing for vulnerabilities.
“Upon an initial review of critical open source software projects, the CII Steering Committee has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding. OpenSSL will receive funds from CII for two, fulltime core developers,” the Foundation stated.
“The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at email@example.com).”
Just a week after the crowd-sourced bug bounty collective Bugcrowd launched a campaign to raise funds to conduct a thorough code audit of OpenSSL in the wake of the Heartbleed vulnerability disclosure, The Linux Foundation announced they were teaming up with leading tech firms to fund and support security for “critical elements of the global information infrastructure.”
“The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions. Galvanized by the Heartbleed OpenSSL crisis, the Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders,” the Foundation previously stated.
The foundation also announced that CII founding backers Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, and VMware,will be joined by new members Adobe, Bloomberg, HP, Huawei and Salesforce, who will work with The Linux Foundation to identify and fund critical open source projects that are in need of financial and technical assistance.
“Whether we acknowledge it or not, the security of today’s Internet depends on a small number of open source projects. This initiative puts the resources in place to ensure the long-term viability of those projects. It makes us all more secure,” said Matthew Green, Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the Open Crypto Audit Project.
Read More Here…