Open Source Community Rallies in Response to Heartbleed Bug

Mike Vizard
Slide Show

Heartbleed: Eight Tips and Strategies for Keeping Safe

History is full of examples where a crisis leads to some form of substantial progress that creates a much larger benefit for all concerned. It looks like the Heartbleed Bug that exploited a vulnerability in the OpenSSL cryptographic software library through which hackers could create backdoors into just about every major website might be just such an example.

This week the Linux Foundation announced that it has recruited Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware to create a Core Infrastructure Initiative through which they will jointly fund open source projects. Jim Zemlin, executive director of the Linux Foundation, says the first project will be to start compensating open source developers and security experts to review major open source projects for additional security flaws.

Zemlin notes that what most people don’t realize is that up until now, a small number of crypto security experts have been working on open source security in their spare time as a labor of love. By compensating those people for their efforts, Zemlin says more thorough security reviews can be accomplished because these experts won’t have to spend as much time on other projects in order to make a living. In the same way that the Linux Foundation funds the efforts of Linux founder Linus Torvalds, the larger open source developer community will also be funded.

The open source community, concedes Zemlin, was clearly caught off guard by the Heartbleed vulnerability. But Zemlin says the sincere response of the open source community to the problem is reflected in the short time it has taken the Linux Foundation to set up this initiative. All members of the Core Infrastructure Initiative pledged funding within days, some even minutes, of being contacted, says Zemlin.

No one knows to what degree the Heartbleed bug has been exploited. But chances are that similar vulnerabilities exist in all kinds of open source software. While that may give some organizations cause for pause when it comes to deploying open source software, the good news is that a lot more attention to the problem is about to be applied to the benefit of us all.



Add Comment      Leave a comment on this blog post
May 8, 2014 1:02 PM Jessica Dodson Jessica Dodson  says:
" By compensating those people for their efforts, Zemlin says more thorough security reviews can be accomplished because these experts won’t have to spend as much time on other projects in order to make a living." I get what they are saying, but the concern is that once money gets involved you have to deal with red tape and politics. These experts may have more time to work, but will more hands in the pot actually make a worse mess? Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data


Thanks for your registration, follow us on our social networks to keep up-to-date