Open Source Community Rallies in Response to Heartbleed Bug

    Slide Show

    Heartbleed: Eight Tips and Strategies for Keeping Safe

    History is full of examples where a crisis leads to some form of substantial progress that creates a much larger benefit for all concerned. It looks like the Heartbleed Bug that exploited a vulnerability in the OpenSSL cryptographic software library through which hackers could create backdoors into just about every major website might be just such an example.

    This week the Linux Foundation announced that it has recruited Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware to create a Core Infrastructure Initiative through which they will jointly fund open source projects. Jim Zemlin, executive director of the Linux Foundation, says the first project will be to start compensating open source developers and security experts to review major open source projects for additional security flaws.

    Zemlin notes that what most people don’t realize is that up until now, a small number of crypto security experts have been working on open source security in their spare time as a labor of love. By compensating those people for their efforts, Zemlin says more thorough security reviews can be accomplished because these experts won’t have to spend as much time on other projects in order to make a living. In the same way that the Linux Foundation funds the efforts of Linux founder Linus Torvalds, the larger open source developer community will also be funded.

    The open source community, concedes Zemlin, was clearly caught off guard by the Heartbleed vulnerability. But Zemlin says the sincere response of the open source community to the problem is reflected in the short time it has taken the Linux Foundation to set up this initiative. All members of the Core Infrastructure Initiative pledged funding within days, some even minutes, of being contacted, says Zemlin.

    No one knows to what degree the Heartbleed bug has been exploited. But chances are that similar vulnerabilities exist in all kinds of open source software. While that may give some organizations cause for pause when it comes to deploying open source software, the good news is that a lot more attention to the problem is about to be applied to the benefit of us all.

    Mike Vizard
    Mike Vizard
    Michael Vizard is a seasoned IT journalist, with nearly 30 years of experience writing and editing about enterprise IT issues. He is a contributor to publications including Programmableweb, IT Business Edge, CIOinsight and UBM Tech. He formerly was editorial director for Ziff-Davis Enterprise, where he launched the company’s custom content division, and has also served as editor in chief for CRN and InfoWorld. He also has held editorial positions at PC Week, Computerworld and Digital Review.

    Latest Articles