OpenSSL and other open projects to get money for security audits

One of the problems with some open source software is there sometimes aren’t enough volunteer developers to comb through code to ensure there are no holes. That appears to have been the problem that led to the OpenSSL Heartbleed vulnerability discovered last month.

That’s about to change somewhat. Today the Linux Foundation announced a project called the Core Infrastructure Initiative that will fund fellowships for developers to work full time on open source projects, security audits, computing and test infrastructure. The money will cover travel and other support.

A steering committee has prioritized critical open source software projects for applicants including OpenSSL, OpenSSH and Network Time Protocol for the first round of funding. OpenSSL will receive funds from CII for two fulltime core developers. The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base.

“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” Jim Zemlin, executive director at The Linux Foundation, said in a statement announcing the initiative.

“CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”

OpenSSL is a widely-used cryptographic solution, but a vulnerability revealed last month led consternation around the world as Web sites were temporarily shuttered while the bug was fixed. However, Revenue Canada believes some 900 social insurance numbers were captured by attackers.

Heartbleed is the name given to a coding error in the open source implementation of the SSL and TSL encryption protocols called OpenSSL. The encryption is used to protect the transport of a wide range of data including private keys, user names and passwords held by public and private organizations. Briefly, part of the SSSL transaction involves a so-called heartbeat. The coding vulnerability allows someone to “bleed” out sensitive information held in memory through packets that trigger a buffer over-read.

OpenSSL developers have said one of the reasons the vulnerability was missed was because there weren’t enough eyes watching the code.

Initial members of the Core Infrastructure Initiative include some of the biggest names in IT who also use some open source code in their applications: Amazon Web Services, Cisco Systems, Dell Inc., Facebook, Fujitsu, Google, IBM Corp., Intel, Microsoft Corp., NetApp, Rackspace and VMware. They have just been joined by Adobe, Bloomberg, Hewlett-Packard Co., Huawei Technologies and

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now