Marcio Jose Sanchez/AP
Google is among several companies putting money into a fund to help safeguard the Internet from possible security flaws in open-source software.
Google is among several companies putting money into a fund to help safeguard the Internet from possible security flaws in open-source software. Marcio Jose Sanchez/AP
Google, Intel, Facebook and many other tech giants are pooling their money together — for the first time — to fix a glaring hole in cybersecurity. They're launching a multimillion-dollar fund to protect open-source code — the code that anyone can use for free, and that often gets overused and underprotected.
The recent Heartbleed bug crisis was a wake-up call to tech companies, and this new fund is an admission of guilt.
"I think we got a little too comfortable as a community of software developers, and we shouldn't be," says Chris DiBona, director of open source at Google. "We should really pay way more attention to the quality of our security software and of these core bits."
Open-source software is core to the business of many high-tech firms. But for years, they've been using it for free. OpenSSL — the code that got hit by the Heartbleed bug — is used by the majority of websites to send encrypted data safely between users and servers. But Google and others had put zero dollars into the maintenance and upkeep of the software.
The goal now, DiBona says, is to come together "and try to root out these problems before they become problems of the scale of Heartbleed and other holes that are probably lurking out there in the software we all depend on."
Open source is getting more popular, and companies are seeing that when software gets reviewed and edited by many eyeballs, it can be a lot stronger than private, proprietary code.
One of the best-funded open-source projects is Linux. Jim Zemlin, executive director of the Linux Foundation, put in the phone calls to make this new fund happen.
"It was inspired by Winston Churchill, who said, 'Never let a good crisis go to waste,' " Zemlin says.
This pledge of relief money is kind of like when nation-states get together after a tsunami or hurricane and each puts in a little bit.
"Each of the companies is contributing $100,000 per year, with a minimum three-year commitment," Zemlin says. "So it's a long-term commitment — at least long term in technology scale."
Zemlin says the foundation will make sure the money goes to the collective good, and not just one company's bottom line.