Google, Microsoft, Intel and Facebook join forces to prevent another Heartbleed fiasco

New Delhi, India, April 26, 2014: A CONSORTIUM of information technology firms including Intel, Google, Microsoft, Facebook, Dell and IBM have joined forces to try to prevent another security breach similar to Heartbleed.

The new project. blandly named the “Core Infrastructure Initiative” (CII), will be housed at The Linux Foundation and will fund open source projects that “are in the critical path for core computing functions”, or basically, pump money into the critical software infrastructure that needs it.

The Linux foundation described it as “a multi-million dollar project… inspired by the Heartbleed OpenSSL crisis” with its funds administered by the foundation alongside a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders.

“The steering group will work with an advisory board of esteemed open source developers to identify and fund open source projects in need,” the Linux Foundation said on the webpage for the project.

“Support from the initiative can include funding for fellowships for key developers to work full time on the open source project, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.”

Early adopter of the project include Google, Facebook, IBM, Intel, Dell, Cisco Amazon Web Services, Microsoft, Qualcomm, Rackspace, VMWare, Netapp and Fujitsu.

The Linux Foundation said it expects more to follow suit in the coming weeks and months. Its members will have the role of evaluating open source projects that are essential to global computing infrastructure and are experiencing under-investment.

“These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society,” the foundation added.

The Heartbleed bug was discovered earlier this month in a software library used in servers, operating systems and email and instant messaging systems, and it allows anyone to read the memory of systems using vulnerable versions of OpenSSL.

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which email, instant messaging, and some VPNs are kept secure.

The vulnerability is called Heartbleed because it’s in the OpenSSL implementation of the TLS/DTLS heartbeat extension described in RFC6520, and when it is exploited it can lead to leaks of memory contents from the server to the client and from the client to the server.

The researchers from defense security firm Codenomicon said that attackers could take advantage of the bug to eavesdrop on communications, steal data directly from server or client systems, and impersonate users and servers.