The important role of OpenSSL in securing the internet has never been matched by the resources devoted for maintaining it. Hundreds of thousands of web servers around the globe use the encryption. Despite that the bug has been tackled, there is always a chance that similar bug will be discovered in the future. Tech giants team up to prevent this thing to ever happen again.
The Heartbleed bug is one of the biggest and widespread vulnerability in the history of the modern web. Coming from the open-source project OpenSSL, about 66 percent of world's web servers rely on it to encrypt and secure data.
Despite being used widely by web servers, the open-source cryptographic software library operates on small budget. OpenSSL Software Foundation President, Steve Marquess, wrote in a blog post saying that OpenSSL typically receives about $2,000 in donations a year with only one employee working full time on code. By hearing that fact, people shouldn't be surprised that the existence of the Heartbleed bug, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites, was unknown until recently.
OpenSSL's operations are in contrast to some other open-source project that receive sponsorship from corporations that rely on their codes. One of the most notable open-source project that is well-funded is Linux operating system kernet, which has a foundation with many employees that are funded from IBM, Hawlett-Packard, Red Hat, Intel, Google, Oracle, Cisco and more.
To prevent another bug similar to the Hearbleed, Linux Foundation announced on April 24th, 2014, a three-year initiative with at least $3.9 million to fund open-source projects that are somehow "neglected" - with OpenSSL coming first on the list. Early supporters include: Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware. These companies have all pledged to commit at least $100,000 a year for at least the next three years to the "Core Infrastructure Initiative."
"The funding will not come with strings attached," said Linux Foundation Executive Director Jim Zemlin. "We definitely want to help them, but it has to be done under their community norms," he said. "The folks at OpenSSL are guys who have dedicated most of their adult careers to super hard software development that is, I would argue, in some ways thankless work."
The Linux Foundation described it as "a multi-million dollar project... inspired by the Heartbleed OpenSSL crisis." Its funds are administered by the foundation alongside a steering group comprised of backers of the project as well as key open-source developers and other industry stakeholders.
Zemlin and the Linux Foundation have a good track record for sponsoring open-source projects. The foundation that was formed in 2000 is a way to sponsor the work of Linux creator, Linus Torvalds, for his work on the Linux kernel. Many of the same companies that are donated to the Core Infrastructure Initiative also sponsor the Linux kernel.
Amanda McPherson, Chief Marketing Officer at the Linux Foundation explained that the group decided to initiate the project since it was "really in our wheelhouse of connecting industry with developers."
The money will not just pay for full-time developers or third-party code audits, but also cover any needed infrastructure to conduct such work and the expenses of in-person collaborations.
Now or Never
The Heartbleed bug would have been bad enough if it had been contained to web servers only. But in fact, it has affected numerous other products as well and that gave more complicated problems. The companies pledging their money here might have avoided this mess if they donated years ago.
IBM had to warn its business customers that some of its products were at risk by the Heartbleed bug. So did Cisco, VMware, Dell, Intel, and NetApp.
Donations have increased since the bug was discovered, bringing in an additional $9,000. And to sum things up, OpenSSL Software Foundation consultants have work-for-hire agreements with commercial customers at a rate of $250 an hour. This has brought in nearly $1 million in some years.
The OpenSSL team has faced criticism. OpenBSD founder, Theo de Raadt, has created a fork of OpenSSL called LibreSSL. He argues that OpenSSL is full of "discarded leftovers" and unreadable code. An anonymous developer said that he became frustrated in his attempts to contribute code to OpenSSL, saying that "OpenSSL rarely accepts code contributions. The work just sits in the RT [request tracker] system. I've got patches for bug fixes and documentation changes that have *never* even been considered."
This can be caused by OpenSSL's lack of resources. If OpenSSL has more human power and more resources, things could flow more easily.
Anyone can donate to the Core Infrastructure Initiative. The Linux Foundation has created a page for Core Infrastructure Initiative to those that want to contribute. More firms are expected and invited to join, and the Linux Foundation said that combined funds will support open-source projects that preserve 'global computing infrastructure' and are 'experiencing under-investment'.
The sudden hectic moments post the Heartbleed bug discovery is a sign that much of the web relies on the OpenSSL software, and how little was being spent to maintain it. Some of the biggest players in the tech industry are coming together to change that, and hopefully spot the next Heartbleed before it can do such damage.