Tech giants pledge millions to help prevent another Heartbleed

Himanshu Arora

Posts: 902   +7
Staff

The who's who of tech companies have agreed to donate millions of dollars to help key, yet under-funded open source projects in the wake of the recent Heartbleed bug crisis. According to ArsTechnica, companies like Amazon, Cisco Systems, Facebook, Google, IBM, Intel, Microsoft, and more, will contribute at least $3.9 million to the Core Infrastructure Initiative, which will be hosted at the San Francisco-based non-profit Linux Foundation.

Open source software like OpenSSL is core to the business of many big technology corporations, which use the library on their websites to send encrypted data safely between servers and clients.

But the crucial role OpenSSL plays in securing the Internet wasn't matched by the financial resources devoted to maintain it. According to OpenSSL Software Foundation President Steve Marquess, the project received $2000 a year in donations, and has only one full time employee.

"I think we got a little too comfortable as a community of software developers, and we shouldn't be," says Chris DiBona, director of open source at Google, adding that "We should really pay way more attention to the quality of our security software and of these core bits".

It's not that every open source project is under-resourced and cash starved. There are many projects that receive good support from the companies that depend on them. For example, the Linux kernel project has multiple employees and financial support from tech giants like HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and more.

According to Jim Zemlin, executive director of the Linux Foundation, companies will contribute $100,000 per year, with a minimum three-year commitment. Although the money will go to multiple open source projects, OpenSSL is at the top of the list.

Permalink to story.

 
All it really took was, having a huge security flaw to wake the companies up. If they actually really thought about it, this might have been caught before it got to the public. It's like Sony and various other companies, you need a breach to remind you your security is flawed. Even if nothing really happened to various companies, it still doesn't mean something didn't in all this time. Just they only took the time to actually look, because of the widespread panic of people worried about their accounts or websites.
 
$2000 a year in donations to openSSL are you serious??? No wonder it happened thats pathetic when you think about it thats like what 1months wages for 1 programmer....

More like half a month of salary of a junior developer... and not including health insurance.
 
I don't get this heartbleed story, I understand that it's a hole in OpenSSL that can be used for hackers to steal stuff, but when they say "to prevent another heartbleed", what actually happened?

Also, if they didn't fix this hole for such a long time, maybe it was made by someone on purpose, just a thought.
 
Back