Big tech companies are offering millions after the Heartbleed crisis

By Jim Finkle

BOSTON (Reuters) – The world’s largest technology companies are contributing millions of dollars to fund improvements to open source programs such as OpenSSL, the software whose “Heartbleed” bug has caused confusion in the computer industry.

Amazon.com Inc, Cisco Systems Inc, Facebook Inc, Google Inc, IBM, Intel Corp and Microsoft Corp are among a dozen companies that have agreed to become founding members of the group known as the Core Infrastructure Initiative. They will each donate $300,000 to the effort, which aims to attract more supporters among technology companies and the financial services sector.

Other early supporters include Dell, Fujitsu Ltd NetApp Inc, Rackspace Hosting Inc and VMware Inc.

The industry is booming after a group of developers who volunteer to maintain OpenSSL revealed they were receiving donations averaging around $2,000 a year to support the project, whose code is used to secure two-thirds of the world’s websites and is included in the products of many of the most profitable technology companies in the world.

“I think as an industry we become complacent when we see something working well or working “well enough.” We kind of see it as ‘maintenance work,'” said Chris DiBona, Google’s director of open source software and engineering. “We need to be a little more vigilant.”

According to security experts, the Heartbleed bug likely cost companies tens of millions of dollars in lost productivity as they had to update their systems with secure versions of OpenSSL. Additionally, it has already led to at least one major cyberattack: the theft of data from the Canadian Revenue Agency.

The nonprofit Linux Foundation, which promotes the development of the open-source Linux operating system, organized the group, which it announced on Thursday.

It will support the development of OpenSSL, as well as other pieces of open source software that are critical parts of the world’s technology infrastructure, but whose developers do not necessarily have adequate financial resources to support their work, said Jim Zemlin, executive director of the Linux Foundation.

Heartbleed is a serious flaw in OpenSSL encryption software, which is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It exposes systems to data theft by hackers who can attack them without leaving a trace.

Open source software refers to programs developed by groups of developers around the world who want community involvement to improve the code. Companies can usually incorporate such code into their products without paying any fees to the volunteer developers who maintain the code.

Some types of open source software, such as Linux and the MySQL database, have versions sold by companies such as Red Hat Inc and Oracle Corp that offer premium services such as updates and technical support.

Zemlin said in an interview that the Core Infrastructure Initiative expects to offer one or more members of the small crew of OpenSSL developers full-time work on the project through fellowships.

She will also highlight other projects, such as OpenSSL, that she believes are equally important to the Internet infrastructure and deserve support.

Eben Moglen, a professor and lawyer at Columbia Law School who represents many open source software projects, said he believes there are between six and 10 such open source programs.

“The process of ensuring software security is continuous. It never ends,” said Moglen, whose clients include the OpenSSL developer group.

(Reporting by Jim Finkle; Editing by Chizu Nomiyama)