The sudden chaos of the Heartbleed bug drove home just how much of the web relies on OpenSSL software, and just how little was being spent to maintain it. But in the aftermath, some of the biggest players in tech are coming together to change that, and hopefully spot the next Heartbleed before it can wreak quite as much havoc.
"I wish we had done this a long time ago."
The new project is called the Core Infrastructure Initiative, formed by the Linux Foundation and devoted to plowing money into the critical software infrastructure that needs it. Executive director Jim Zemlin says that after Heartbleed, it was clear something needed to change. "After we're done updating our software and swapping our certificates, what can we learn? What can be done differently," he says. "Obviously, in retrospect, I wish we had done this a long time ago."
OpenSSL is at the top of the list, but it's not the only item
The Linux Foundation isn't directing the money; Zemlin describes their role as more "a place to hold the money" while the members decide where it needs to go. Those members include giants like Google, Microsoft, and Facebook, along with hardware companies like Intel and Fujitsu, and cloud services groups like Rackspace and Amazon Web Services. Each one is committed to donating at least $100,000 a year for the next three years. With 12 companies already on board, that means the company has already amassed $3.6 million in funding to be doled out as the project progresses.
Because of Heartbleed, Open SSL is at the top of the list, but it's not the only item. ModSSL, PGP, and OpenCryptolab were also mentioned as potential projects the initiative might support. More importantly, the founders hope the project will unearth new priorities once all the stakeholders are meeting regularly. "Hopefully, five years from now when we look back," Zemlin says, "we'll say one of the things we learned was how important it is to have these decisions proactively."