Tough Love for the Encryption Software That Was Compromised by Heartbleed

We all use OpenSSL whether we know it or not.

Photo by YASUYOSHI CHIBA/AFP/Getty Images

The Linux Foundation, which supports the Linux operating system and other open-source projects, is giving the open-source encryption protocol that contained the Heartbleed vulnerability some tough love. The foundation is funding an audit of OpenSSL’s code and also paying the salaries of two programmers who will work on OpenSSL full time.

Previously 10 volunteers devoted significant time to OpenSSL, and only developer Stephen Henson was full time. In hindsight this seems like a paltry team given that OpenSSL has been and continues to be ubiquitous. OpenSSL, or Secure Socket Layer, is a cryptographic protocol that secures interactions like online banking and many communication services. When you see the “https” prefix on a URL that’s OpenSSL at work. Henson will receive one Linux Foundation grant along with Andy Polyakov.

The OpenSSL project is part of a new broader effort called the Core Infrastructure Initiative that will give attention to underresourced, but valuable open source products. As the Linux Foundation’s announcement explains:

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects.

The project is being backed by large tech companies like Adobe, Amazon Amazon Web Services, Cisco, Facebook, and Google. Ars Technica reports that the companies are all giving at least $100,000 a year for three years. So far the Linux Foundation has raised $5.4 million over the next three years. And OpenSSL is also still collecting donations through the OpenSSL Foundation. Maybe open-source code makeovers will be the next big reality show. OK, probably not.