TECH

Tech Companies Create Fund To Avoid The Next Heartbleed Bug

04/24/2014 08:00 am ET | Updated Apr 24, 2014

The “Heartbleed” bug highlighted one of the Web’s great contradictions: Many enormously profitable companies rely on a tiny group of underpaid programmers to secure their websites -- and those programmers need some help.

Now they may be getting some. On Thursday, several big technology companies -- including Google, Facebook and Microsoft -- pledged financial support to the people who maintain OpenSSL, a popular open-source software used to secure about two-thirds of all websites, as well as home routers, millions of smartphones running older Android operating systems, and other Internet-connected devices.

Earlier this month, researchers found that OpenSSL contained a major bug that allowed hackers to steal passwords, credit card data or Social Security numbers, forcing numerous companies to patch the flaw. The Heartbleed bug was created by a developer who said he accidentally inserted an error into the code.

The flaw went unnoticed for two years, but may have been caught sooner if companies that rely on the software had helped pay for a review of OpenSSL code, Ben Laurie, one of the programmers who works on the software, told HuffPost.

Now, a dozen technology firms have pledged $3.6 million -- or $300,000 each over the next three years -- to underfunded open-source projects. OpenSSL would be the first to receive funding.

Other companies contributing to the fund include Amazon, Cisco, Dell, IBM and Intel.

The money will go toward hiring key developers to work full time on the OpenSSL code, and to help review the software for bugs, according to Jim Zemlin, executive director of the Linux Foundation, a nonprofit that organized the funding.

Zemlin said the Heartbleed bug “would have been a lot less likely if they had more people working more hours on the core project.

“This is a genuine, no-strings-attached offer to help,” Zemlin said.

Despite its critical role in Internet security, the OpenSSL software is written and maintained largely by four people who live in Europe, as well as a few contributors. Most have other jobs during the day and maintain the code in their spare time.

Together, they earned less than $1 million last year for their work on OpenSSL from a mix of contract work and donations. The programmers don’t have time to check every line of code for flaws and can’t afford to pay for a formal code review.

Steve Marquess, president of OpenSSL Software Foundation, which raises money for the programmers, declined to comment Wednesday, saying he was still reviewing how much money would be earmarked for the project.

“It looks promising but we’re still evaluating the details,” Marquess said.

Suggest a correction
Comments

CONVERSATIONS