Facebook , Google, Microsoft, Amazon and IBM, are banding together to prevent a Heartbleed-like security breach, should it happen again.
According to experts, Heartbleed is historically a prominent vulnerability on the Internet. The vulnerability comes from an error in the line of code within the open-source project OpenSSL. Incidentally, approximately 66% of web servers depend on OpenSSL for data encryption and security.
The OpenSSL bug accessed secret-encryption keys, ensuring passwords and other data are securely transmitted were now exposed and could be stolen from the server without authorization. In other words the secret data could be stolen from the web server without prior knowledge.
The bug was intact and present in OpenSSL for more than two years before being publicly patched and announced. The Core Infrastructure initiative, is a segment of Linux Foundation. It was established for and designed to “fund open source projects that are in the critical path for core computing functions,” according to a description on its website .
The group works with “an advisory board comprised of open source developers to identify and fund open source projects in need.”
Every tech company has committed to $100,000/year for a duration of three years for the program. The total amount is over $4 million and the first project undertaken and targeted by the foundation is OpenSSL. OpenSSL, a program at the center of the Heartbleed bug, is utilized by 66% of web servers . It can also be in thousands of hardware devices including client-side.
According to reports, the program is still underfunded. In 2013, it raised just $2,000 in donations . It relies on contract-work to collect funds.
“We want to allow the true artists – like the OpenSSL developers – focus on their craft full-time,” said a company representative.
The support from a dozen corporations, organizations,mpa includes Facebook, HP, Microsoft, Google, Dell, Cisco, IBM, VMWare, Qualcomm, Rackspace, Amazon Web Services, Fujitsu and IBM will not mean they will control open-source projects.
The Linux Foundation has a good track record for sponsoring open-source. The same companies that are contributing to the Core Infrastructure Initiative also sponsor Linux.