History is full of examples where a crisis leads to some form of substantial progress that creates a much larger benefit for all concerned. It looks like the Heartbleed Bug that exploited a vulnerability in the OpenSSL cryptographic software library through which hackers could create backdoors into just about every major website might be just such an example.
This week the Linux Foundation announced that it has recruited Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware to create a Core Infrastructure Initiative through which they will jointly fund open source projects. Jim Zemlin, executive director of the Linux Foundation, says the first project will be to start compensating open source developers and security experts to review major open source projects for additional security flaws.
Zemlin notes that what most people don’t realize is that up until now, a small number of crypto security experts have been working on open source security in their spare time as a labor of love. By compensating those people for their efforts, Zemlin says more thorough security reviews can be accomplished because these experts won’t have to spend as much time on other projects in order to make a living. In the same way that the Linux Foundation funds the efforts of Linux founder Linus Torvalds, the larger open source developer community will also be funded.
The open source community, concedes Zemlin, was clearly caught off guard by the Heartbleed vulnerability. But Zemlin says the sincere response of the open source community to the problem is reflected in the short time it has taken the Linux Foundation to set up this initiative. All members of the Core Infrastructure Initiative pledged funding within days, some even minutes, of being contacted, says Zemlin.
No one knows to what degree the Heartbleed bug has been exploited. But chances are that similar vulnerabilities exist in all kinds of open source software. While that may give some organizations cause for pause when it comes to deploying open source software, the good news is that a lot more attention to the problem is about to be applied to the benefit of us all.