Corporations put their cash where their open source security is

Corporations put their cash where their open source security is

Summary: OpenSSL and Open Crypto Audit Project are the first open source projects to receive funding from the Core Infrastructure Initiative.


The corporate cash faucet has been turned on for vital, but neglected, open-source projects. The Core Infrastructure Initiative (CII) has reviewed under-funded but critical open source software projects and decided that Network Time Protocol (NTP), OpenSSH, and OpenSSL will get the first round of funding.


OpenSSL will receive funds from CII for two full-time core developers.

OpenSSL Software Foundation President Steve Marquess, who joined OpenSSL in April, said that he did not consider this enough and that he'd "ultimately like to see more than just two dedicated people working on OpenSSL, but these Linux Foundation fellowships are the most significant good news the OpenSSL project has ever had." The two new full-time programmers are Stephen Henson and Andy Polyakov.

The project, needless to say, is accepting additional donations. These can be coordinated directly with the OpenSSL Foundation (contact at

The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base. Other projects are under consideration and will be funded as assessments are completed and budget allows.

The exact amounts being given to OCAP, NTP, and OpenSSH have not been revealed. In general, the CII provides funding for fellowships for key developers to work full time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, is tasked with identifying underfunded open source projects that support critical infrastructure, and administering the funds through The Linux Foundation.

"All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, executive director at The Linux Foundation in a statement. “CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”

In addition, the CII's backers, which already include Google, IBM, Intel, Cisco, Microsoft, and VMware have now been joined by Adobe, Bloomberg, HP, Huawei, and These companies represent the ongoing and overwhelming support for the open source software that provides the foundation for today’s global infrastructure. Each CII member has pledged a minimum of $100,000 a year for a minimum of three years to support critical open source projects.

Looking ahead, the CII also announced its Advisory Board. This group will advise the CII Steering Committee about the open source projects most in need of support. Its membership, a who's who of open source programmers, security experts, and lawyers includes:

  • Alan Cox, a longtime Linux kernel developer
  • Matthew Green, a Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the OCAP
  • Eben Moglen, a professor of law and legal history at Columbia University;  founder, director-counsel and chairman of Software Freedom Law Center; and the foremost expert on open source legal practices.
  • Bruce Schneier, a well-recognized expert on computer security and privacy

In a statement, Schneier said of the CII:  "This is an important step towards improving the security of the Internet. I'm happy to see the technology companies that rely on the security of open source software investing in that security."

Related Stories:

Topics: Security, Enterprise Software, Open Source, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OS

    Open source = You get what you pay for. Problems? Call the OS 800 number.
    • Proprietary programs=

      deny problem+
      can't fix+
      won't fix+
      "thats a feature".

      Call the 800 number?
      Infinite hold.... and a bill for doing nothing.
      • Not so

        For-profit organizations are driven by what exactly?

        Yes, profit.

        CEO's and the other VPs continuously live under the pressure to produce profits, or they get axed by their respective boards and shareholders.

        Obviously, if sales drop off then corporate profits plummet. They either fix the problems in existing products, continually innovate, or they whither on the grapevine. Is that so complicated to grasp?
        • And they don't test software and act like rabbit...

          ...putting its head on bush and hope there ain't danger at all. For instance bragging security of IE browser (with relatively small number of security tests compared to Chrome and especially Firefox). Everyone knows how awful IE is.

          Corporate logic: increase incomes, reduce costs (not investing much on security). "The Public Be Damned" as Vanderbild mentioned in late 19th century.
          • Don't pick and choose

            You can *always* find an example that you will showcase to make your case. But that sort of short-sighted, fallacious reasoning is shallow and transparent.

            A broader look at which business models produce the products and services that strike the optimal balance of usability, security, and availability will generally be from - albeit, my opinion - companies with a profit motive.

            For long term investments, companies choose Redhat over CentOS. CentOS is outstanding, based on the previous rev of Redhat, basically. Yet you look at Healthcare, running an EMR like Epic, you will choose either HP UNIX or Redhat. Why? They vendor are certified. Why are they vendor certified, and why isn't CentOS, or Ubuntu, or OpenSuse?

            If you are running desktops in a corporate environment, will you run an open source desktop OS or Windows (or Mac OSX)?

            Why not use some flavor of Linux that is free? That answer should be bleeding obvious. I use Linux, but OMG the numbers of package updates that come through each week is striking. HOW DO I KNOW THAT THEY ARE SECURE?

            Should I just trust Canonical or any of the other sources that their sources have properly vetted the updates? I cannot imagine blindly trusting so many unverified sources for updates, patches, and packages.

            Sure, IE is poo, but using that as an example to make a case against MS, or closed-source, for-profit products is a very weak.
  • Open source sounds so cool

    But forgive me, I do tend to get nervous when a financial interest in success is not a significant part of organizations motivations. Is it not human nature to want to be rewarded for hard one's time invested into work?

    I get that profit can be a double-edged sword, there is no doubt about that. But it seems to me that in a balanced, healthy, for-profit org that there are checks and balances. Public companies have boards of directors, share holders, government regulations, and most importantly, their customers.

    CEOs want bonuses.

    Developers want high salaries.

    ...and so on...

    Customers want a product or service that works for them, blah, blah blah. I cannot see how over the long term, opensource (freebie) orgs, which have no profit motive, 1) stay in business (kinda oxymoronic, being in business to give away your products and services) , and 2) retain the same talent year in and year out. Where will the college grads with 75K in debt gravitate towards?

    I'm looking at the disasters with bitcoin (Mt Gox, namely), the horrible oversight (or worse) with OpenSSL, the sudden dissaperance/hack of TrueCrypt, the changes and forks in the various Open source projects where it seems like tantrums result in break ups...none of that lends credibility to the Open source community.

    How do I have confidence in products where hundreds or thousands of people contribute in small ways to the thousands of packages that get updated on my Linux workstations and servers, submit to other orgs that have dozens or hundreds of non-paid (mostly) people, who say it is safe and secure to use their products? What is the motivation beside that which is altruistic?

    Not everyone has integrity, not even open source types (hackers don't by Windows, after all).
  • Financial interest in success can result in different paths

    One path attempts to minimize operating costs through the ignorance of a secure development life-cycle. Well-known examples include:

    o Oracle (previously Sun) Java web browser plug-in
    o Adobe Reader
    o Adobe Flash Player

    And don't be confused by Adobe's use of sandboxing to contain its poor-quality, proprietary software. Microsoft, with Windows 8, and Google, with its Chrome browser, also sandbox the Adobe Flash Player plug-in.

    And what of the recent, highly-publicized GnuTLS (open source, no less) vulnerability from Apple. Does Apple not have a financial interest in its hardware products running iOS and OS X? Apple currently has over $150 billion U.S. in cash and cash equivalents. There's certainly no lack of money.

    The best example of open source security is the OpenBSD project which has been auditing its source code with a 6 to 12 member auditing team since 1996. OpenBSD users got slammed with the OpenSSL Heartbleed vulnerability just like many users of Microsoft Windows and Apple OS X repeatedly get slammed with Oracle Java web browser plug-in and Adobe Flash Player vulnerabilities. The OpenBSD project response was to fork OpenSSL with its own LibreSSL project which will get increased scrutiny from a security perspective. In the future, it will be interesting to compare the LibreSSL project with the CII-backed OpenSSL project as vulnerabilities are discovered.

    And lets not forget that once a vulnerability has been identified in software, open source projects are generally much quicker to patch the vulnerability than are proprietary software companies.
    Rabid Howler Monkey
  • Confused about Open Source

    Why do so many commenters here seem to think open source software is written by volunteer nerds in basements? The big open source contributors are companies such as Microsoft, Google, LinkedIn, Apple, IBM, Facebook, Red Hat, ...
    • Open source has many contributors

      Problem is, we don't know who they are.

      If I choose OSX, I know that all of the contributors are working for, and on behalf of one company and one product.

      If you throw out names like IBM, Google, LinkedIn, etc, etc, etc, then you're just tossing out a red herring. These companies embrace open source for a variety of reasons. But just as Oracle embraced open source with MySQL, there is a control and profit motive there, pure and simple.

      And for those companies that toss money into the coffers of open source orgs, they do so for their own reasons. Do you expect anyone to believe that a for-profit company does this for some altruistic reason?

      Yeah, right, and RJ Renoylds really doesn't want me to take up smoking. My proof of that? They have funded many anti-smoking campaigns, so surely they don't want to run out and buy a pack of smokes....right?
      • nope

        I'm in the industry and your comment isn't right. I won't bother explaining just go educate yourself. All I can say to simply negate it is OSX is built on plenty of open source software, google that for starters.

        We all know who checks in code for open source projects, it's completely obvious. You can go find out. They don't just merge code in to master branches from some random person off the street.

        Big companies embrace and contribute to open source code for a variety of very good reasons.
    • Corporate contribution of code to open source software

      in no way assures that a proper security development life-cycle is in place at either the corporation contributing the code or at the open source project receiving the contributions.
      Rabid Howler Monkey
      • Where lies the highest probability of QA?

        From open source of for-profit firms?

        I think, on balance, the highest probability of high quality products and services with long-term support will not come from, by and large, open source sources.
        • At those organizations, whether a company or an open source project,

          where the leadership has decided that software quality is of high importance. The OpenBSD project has shown that open source projects can achieve high software quality assurance.

          The CII is an experiment, IMO. I hope that it has better success than did the POSSE Project over 10 years ago:

          "The POSSE Project"

          There are many proprietary ISVs with tons of money where the leadership has decided that cost efficiency, getting a product out the door by a certain date, adding new features and/or executive bonuses trump software quality.

          While quality over the long-term may be free (as in the book "Quality is Free"), the short-term usually requires some investment. However, tons of money != quality, software or otherwise.
          Rabid Howler Monkey
          • I'm talking off the self products and solutions available today

            Do any organizations simply throw increasing amounts of money at a product or solution and hope it gets better, or is profitable?

            Especially not for-profit, publicly traded firms. Or, at least not many and not for long. That is not a exactly a durable business practice.

            Yes, there are projects (dev projects, foundations, etc) that do produce high quality, standards based, dependable products that have proven records. But at the end of the day, what are they producing for me or for my business?

            What concerns me about open source is the fact that it is a patchwork quilt, and I simply do not believe that without strong oversight of the completed quilt that I can trust that there isn't some bad stitching and some bad sections of cloth.

            I trust that more often a for-profit model (again, I said that I believe more often, not always) is going to police itself when putting together the complete quilt.

            It is all to easy to rip MS and Windows. Windows is big, very big, and it has to be. When I compare the user experience, the depth of ooo capabilities, the richness of the user experience, the fine UI details, all that, any OS would have to be big.

            As another example, take a business product, such as a corporate mail server. Compare Exchange to any others - yeah, its a beast. Yet, there is no other mail exchange platform that has all of the features and capabilities of Exchange. It is going to be beastly to have all of the capabilities that it has, there is no way around that fact.

            I can see where my choice for desktop Linux, Mint, has its own set of challenges. It takes hundreds of part-time developers to maintain the myriad of packages that collectively make up Linux. Desktop Linux is so much smaller in terms of capability and scale than Windows, naturally there is less to update, patch, and continually develop. But I am depending on the QC and QA of these people who are only, at best, loosely associated with one another, at most often develop their pieces from within their own little silos.

            I use many open source products, a few of which include Apache, Linux, ImageMagick, many software titles (Conky, FireFox, Cream, VLC, 7zip, ClassicShell, Gimp, and so on...). I tend to look at Open Source products as single purpose apps, not entire eco-systems.
          • nope

            Go get a job where you can spend some time in large data centers. You're not using exchange to handle hundreds of millions of user's mail and you're note using IIS to host things like facebook and google. When you're working with scales like that you're probably not using any or very little closed source software.

            Your perspective and scope is small-medium business IT. And in that regard maybe you're right, there's no real market for that level/type of software for open source. Open source excels at the big hitting items. The things that solve global scale software problems.

            Open source clearly excels at some small scale things too like embedded and mobile. It's been the case and known for years that its weak spots are in the middle/gray area. Linux as the dominate desktop for example. 20+ years and still barely a scratch. But it has dominated in every other vertical.

            Everything in my home even, from router, to media player, to IP cameras, to NAS are using open source software. The only closed OS (windows) is in my gaming comp.