Corporations put their cash where their open source security is

OpenSSL and Open Crypto Audit Project are the first open source projects to receive funding from the Core Infrastructure Initiative.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The corporate cash faucet has been turned on for vital, but neglected, open-source projects. The Core Infrastructure Initiative (CII) has reviewed under-funded but critical open source software projects and decided that Network Time Protocol (NTP), OpenSSH, and OpenSSL will get the first round of funding.


OpenSSL will receive funds from CII for two full-time core developers.

OpenSSL Software Foundation President Steve Marquess, who joined OpenSSL in April, said that he did not consider this enough and that he'd "ultimately like to see more than just two dedicated people working on OpenSSL, but these Linux Foundation fellowships are the most significant good news the OpenSSL project has ever had." The two new full-time programmers are Stephen Henson and Andy Polyakov.

The project, needless to say, is accepting additional donations. These can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base. Other projects are under consideration and will be funded as assessments are completed and budget allows.

The exact amounts being given to OCAP, NTP, and OpenSSH have not been revealed. In general, the CII provides funding for fellowships for key developers to work full time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, is tasked with identifying underfunded open source projects that support critical infrastructure, and administering the funds through The Linux Foundation.

"All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, executive director at The Linux Foundation in a statement. “CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”

In addition, the CII's backers, which already include Google, IBM, Intel, Cisco, Microsoft, and VMware have now been joined by Adobe, Bloomberg, HP, Huawei, and salesforce.com. These companies represent the ongoing and overwhelming support for the open source software that provides the foundation for today’s global infrastructure. Each CII member has pledged a minimum of $100,000 a year for a minimum of three years to support critical open source projects.

Looking ahead, the CII also announced its Advisory Board. This group will advise the CII Steering Committee about the open source projects most in need of support. Its membership, a who's who of open source programmers, security experts, and lawyers includes:

  • Alan Cox, a longtime Linux kernel developer
  • Matthew Green, a Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the OCAP
  • Eben Moglen, a professor of law and legal history at Columbia University;  founder, director-counsel and chairman of Software Freedom Law Center; and the foremost expert on open source legal practices.
  • Bruce Schneier, a well-recognized expert on computer security and privacy

In a statement, Schneier said of the CII:  "This is an important step towards improving the security of the Internet. I'm happy to see the technology companies that rely on the security of open source software investing in that security."

Related Stories:

Editorial standards