Linux Foundation's CII Continues to Fund Open-Source Security Efforts

The Core Infrastructure Initiative that was launched in the wake of Heartbleed to provide funding for critical open-source infrastructure projects continues to advance.

Linux security

One of the key takeaways from the Heartbleed vulnerability in 2014 was that there was a need for more funding for critical open-source technology projects. That's why the Linux Foundation created the Core Infrastructure Initiative (CII) in April of 2014 and in 2015 is continuing to move forward with the effort.

Among the financial backers of CII are Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. All told, Jim Zemlin, executive director of the Linux Foundation, said the CII has raised roughly $5.5 million in committed funds over the next three years.

While the CII was created in the aftermath of Heartbleed, which is a flaw in the open-source OpenSSL project, the scope is much wider than just one project. One of the most recent projects to benefit from the CII is the GNU Privacy Guard (GnuPG) email encryption technology, which is developed largely by developer Werner Koch.

"The Linux Foundation identified the need to support Werner Koch months ago and committed $60,000 to his work in January," Zemlin told eWEEK.

Koch achieved additional notoriety by way of a ProPublica article on Feb. 5 that detailed his funding challenges. As a result of the media exposure, Koch was able to raise 120,000 euros from individual donations. Zemlin said that the CII is happy that Koch's interview with ProPublica increased awareness of his work and that it resulted in additional support.

In terms of where the CII is allocating its money, Zemlin said that it has committed roughly half of the money it has raised so far to a variety of projects and efforts over a three-year period. In addition to OpenSSL and GnuPG, the CII is also providing support to OpenSSH, the Open Crypto Audit Project and Bash projects. More project funding news will be coming in the future, according to Zemlin.

In Zemlin's view, the CII is a cost-effective way for industry to improve state of security on Internet. Rather than spending millions of dollars remediating zero days, the promise of the CII is to help get ahead of issues before they become zero-day exploits. As part of delivering on that promise, the CII is conducting research to help determine what projects in fact require funding assistance.

"What we are looking for are market failures where the funding and resources for a project have not kept up with the importance of a project to society," Zemlin said.

There are multiple open-source efforts that have found what Zemlin referred to as a "natural market" for support. Those efforts include Linux, Hadoop and OpenStack, all of which enjoy broad vendor and financial support. Then there are other projects that have not had natural market support, including, OpenSSL, NTP, OpenSSH and GPG.

Zemlin added that finding the next 50 projects that need help takes real work and the CII's research can help identify the projects most in need.

"Also and equally important, it will inform us as to the best way to apply resources to help and not harm the natural markets and mechanisms that occur around open-source development," he said. "I suspect we will learn about some projects through other means, such as Twitter or traditional media. Whatever the vehicle, we're glad these projects are getting the attention they need."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.