Heartbleed prompts tech firms to pledge open-source support

Top tech firms have joined forces to support open-source software to help prevent future bugs like Heartbleed

Technology industry heavyweights have joined forces to fund open-source software development projects, such as OpenSSL, to help prevent future bugs like Heartbleed.

The Heartbleed security bug affecting networking equipment and hundreds of thousands of websites was caused by a coding error in OpenSSL software widely used for encryption.

The flaw made the headlines after researchers revealed it could be exploited to steal passwords, credit card details, encryption keys and other sensitive data, without leaving a trace.

Critics of open source have been quick to say that the discovery of the bug, only two years after it was introduced, is proof that the model is broken.  

The premise of open-source development is that it will produce high-quality and highly secure software because of the large number of people reviewing the code and working to improve it.

Ironically, an open-source developer inadvertently introduced the coding error responsible for Heartbleed during one of these review cycles in December 2011.

Supporters have said the discovery Heartbleed shows that bad consequences can arise when the scale of open-source software use outweighs the resources of the community that creates it.

More on Heartbleed

  • Adapting to life after Heartbleed
  • Datacentre lessons learnt from Heartbleed bug
  • Canada sees first Heartbleed bug arrest
  • Heartbleed repairs threaten to cripple the internet
  • Mumsnet becomes first known UK victim of Heartbleed bug
  • Canada Revenue Agency reports Heartbleed data theft
  • Heartbleed denial reveals loophole for NSA spying
  • Cisco and Juniper warn of products hit by Heartbleed bug
  • The Heartbleed genie is out of the bottle – now what?
  • EFF calls for rapid mitigation of Heartbleed internet bug
  • OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
  • OpenSSL security flaw could affect millions of websites, warn researchers

This realisation has prompted Steve Marquess, co-founder and president of the OpenSSL Software Foundation, to appeal for financial support from those that use OpenSSL extensively.

“While OpenSSL does ‘belong to the people’ it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support,” he wrote in a blog post.

Before Heartbleed, the OpenSSL project attracted around $2,000 a year in donations, but that was a fraction of what was required to support such a complex and critical software product, said Marquess.

Inspired by the Heartbleed OpenSSL crisis, technology firms such as Microsoft, Google and Facebook have set up a multi-million dollar project to fund open source projects critical to core computing.

The Core Infrastructure Initiative’s funds will be administered by the Linux Foundation and a steering group that includes backers of the project, key open-source developers, and industry stakeholders.

The group’s founders say that by raising funds at a neutral organisation, such as the Linux Foundation, the industry can give projects the support they need while ensuring they retain independence.

The initiative has attracted a wide range of supporters, including software firms, internet companies, cloud computing service providers, networking firms, and chip and hardware manufacturers.

Besides Microsoft, Facebook and Google, these include Amazon Web Services, Cisco, Dell, Fujitsu, IBM, Intel, Qualcomm, NetApp, RackSpace and VMware.

The founders of the initiative have pledged to donate $300,000 each to the fund, according to Reuters.

Although the initial focus of the group will be OpenSSL, the Core Infrastructure Initiative (CII) aims to identify and fund other crucial open source projects.

The funding will ensure support from key developers and provide other resources to improve code quality, security, review processes and respond to requests for code updates.

Microsoft said although its customers were not affected by the Heartbleed bug, security is an industry-wide issue requiring industry-wide collaboration.

“That is why we look forward to working with others in the CII, discussing our respective learnings, and sharing resources and tools, such as the Security Development Lifecycle (SDL),to drive further developments, both in the standards space, and in the security development work across the industry,” Steve Lipner, partner director of software security at Microsoft wrote in a blog post.

Read more on Application security and coding requirements