Sometimes it takes a crisis to get people to pay attention. The Heartbleed bug definitely counts as a crisis, and the people responsible for OpenSSL now have reason to hope they’ll be taken more seriously by some industry players with deep pockets.
Considering the role that OpenSSL plays in making the Internet secure, it’s long been a sore point that major tech companies who use it in their products have been reluctant to give it the financial support they give to other open source initiatives. The OpenSSL Software Foundation operates on a shoestring budget, racking up a less than impressive US$2,000 in donations annually and boasting a single full-time employee.
This means the foundation hasn’t had the resources to hire enough people to adequately watch over the code (see below), which led to the vulnerability being missed.
But that may be about to change, and the Heartbleed bug is the catalyst. An Ars Technica story says that OpenSSL is in line to get a big funding infusion.
The Linux Foundation has announced the “Core Infrastructure Initiative,” a three-year plan with at least $3.9 million to help fund open-source projects, and OpenSSL is at the top of the list. Linux Foundation executive director Jim Zemlin told Ars Technica that Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the initiative. Of course not all of that largesse will go to OpenSSL, but it’s still very good news, even if the nuts and bolts are still being worked out.
Zemlin says he didn’t have to do much arm-twisting when he approached the companies involved. “Before I could even get my last word out most folks were like, ‘absolutely,’” he said. “We should have done this three years ago to be honest.”
OpenSSL may now be able to garner fellowship funding for key developers, and other resources to help improve security, enable outside reviews and boost responsiveness to patch requests. Security audits, computing and test infrastructure, travel and face-to-face meeting coordination will be among the potential benefits.
Zemlin says the funding has no strings attached. “We definitely want to help them, but it has to be done under their community norms. The folks at OpenSSL are guys who have dedicated most of their adult careers to super-hard software development that is, I would argue, in some ways thankless work.”
“The companies pledging money here might have avoided a big mess if they donated years ago,” Ars Technica’s Jon Brodkin writes. “The Heartbleed vulnerability would have been bad enough if it had been contained to Web servers, but it affected numerous other products too.”
OpenSSL Software Foundation President Steve Marquess recently posted that ideally there should be at least a half-dozen full-time employees on the OpenSSL team, not just one. “If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.”
Maybe now, at last, there will be enough in the kitty to hire some new blood.