Announcements

News Highlights

* Additional founding members Adobe, Bloomberg, HP, Huawei and salesforce.com join CII

* Network Time Protocol, OpenSSH and OpenSSL first projects to receive support; Open Crypto Audit Project to conduct security audit of OpenSSL

* Advisory Board members include longtime Linux kernel developer and open source advocate Alan Cox; Matt Green of Open Crypto Audit Project; Dan Meredith of the Radio Free Asia’s Open Technology Fund; Eben Moglen of Software Freedom Law Center; Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School; Eric Sears of the MacArthur Foundation; and Ted Ts’o of Google and the Linux kernel community

SAN FRANCISCO, May 29, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund open source projects that are in need of assistance, today announced five new backers, the first projects to receive funding from the Initiative and the Advisory Board members who will help identify critical infrastructure projects most in need of support.

CII provides funding for fellowships for key developers to work fulltime on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, are tasked with identifying underfunded open source projects that support critical infrastructure, and administering the funds through The Linux Foundation.

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give these projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, executive director at The Linux Foundation. “CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”

Additional Backers Represent Overwhelming Support for Open Source Projects

Additional founding members of CII include Adobe, Bloomberg, HP, Huawei and salesforce.com. These companies represent the ongoing and overwhelming support for the open source software that provides the foundation for today’s global infrastructure. They join other members of CII who include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware. Comments from some of the newest members are included below.

Range of Projects Prioritized for First Round of Funding

Upon an initial review of critical open source software projects, the CII Steering Committee has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding. OpenSSL will receive funds from CII for two, fulltime core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base. Other projects are under consideration and will be funded as assessments are completed and budget allows.

Esteemed Industry Experts Will Advise CII on Projects Most in Need

The CII Advisory Board will inform the CII Steering Committee about the open source projects most in need of support. With highly esteemed experts from the developer, security and legal communities, the CII Advisory Board plays an important role in prioritizing projects and individuals who are building the software that runs our lives.

Alan Cox is a longtime Linux kernel developer and has been recognized by the Free Software Foundation for advancing free software.

Matthew Green is a Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the Open Crypto Audit Project. His research focuses on computer security and cryptography, and particularly the way that cryptography can be used to promote individual privacy.

“Whether we acknowledge it or not, the security of today’s Internet depends on a small number of open source projects. This initiative puts the resources in place to ensure the long-term viability of those projects. It makes us all more secure,” said Green.

Dan Meredith is a director at Radio Free Asia’s Open Technology Fund. He has been an activist and technologist exploring emerging trends intersecting human rights, transparency, global communication policy, the Internet, and information security for over a decade.

Eben Moglen is a professor of law and legal history at Columbia University and is the founder, director-counsel and chairman of Software Freedom Law Center. He is considered the foremost expert on open source legal practices and represents a variety of open source projects and developers.

Bruce Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School and a well-recognized expert on computer security and privacy. He is also a fellow at New America Foundation’s Open Technology Institute.

Schneier commented on the Core Infrastructure Initiative: “This is an important step towards improving the security of the Internet. I’m happy to see the technology companies that rely on the security of open source software investing in that security.”

Eric Sears is a Program Officer for Human Rights for MacArthur Foundation. His grant-making portfolio includes efforts to strengthen digital free expression and privacy through advancing a more open and secure Internet.

Ted Ts’o has been recognized as the first Linux kernel developer in North America and today is a file system developer at Google who is also the Linux /dev/random maintainer.

Member Comments

Adobe

“Adobe believes that open development and open source software are fundamental building blocks for software development,” said Dave McAllister, director of open source at Adobe. “The Core Infrastructure Initiative allows us to extend our support through a neutral forum that can prioritize underfunded yet critical projects. We’re excited to be a part of this work.”

Bloomberg

“Open source software provides a critical foundation for the technologies we build for our clients,” said Shawn Edwards, CTO, Bloomberg. “We are proud to support the Core Infrastructure Initiative so we can contribute to building the foundational technologies that make future innovation possible.”

HP

“HP strongly believes in the quality of open source software, as evidenced by its use, participation in, and support of open source projects and software,” said Eileen Evans, vice president and deputy general counsel, cloud and open source, HP.  “As a member of the Core Infrastructure Initiative, HP will lend its expertise and resources to further improve the technology of open source global information infrastructure, and in particular, work to reduce the likelihood of security-related incidents.”

Salesforce.com

“Open source software has fueled the advancements we’ve seen over the last decade in cloud and mobile computing,” said Parker Harris, co-founder, salesforce.com. “That is why supporting the Linux Foundation’s Core Infrastructure Initiative is an absolute necessity in today’s software industry, and salesforce.com is delighted to contribute to this effort and foster the next generation of open source computing innovation.”

Anyone can donate to the Core Infrastructure Initiative fund. To join or donate or find out more information about the Core Infrastructure please visithttps://www.linuxfoundation.org/programs/core-infrastructure-initiative

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #

New Gold Member Partners with CII to Improve Internet Security and Fortify Open Source Infrastructure

San Francisco, June 6, 2017 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that collaboratively works to improve the security and resilience of critical open source projects, today announced that Thales is joining as a new gold member.

A leader in critical information systems, cybersecurity and data security, Thales offers advanced data security solutions and services, delivering trust wherever information is created, shared or stored. It is recognized for its deep information and cryptographic security expertise that enables organizations to confidently accelerate their digital transformation. Thales technology is found right across the enterprise, in financial services, retail, healthcare and government and secures more than 80% of debit card transactions around the world.

The CII’s mission is to ensure that the open source code that underpins business today is secure and resilient. Many of the world’s largest technology companies already belong to CII, and Thales is the first global security business to join the initiative.

“CII is incredibly excited to see our membership base expand and add a security-focused company like Thales, which has a vast understanding of the complex information technology demands we face in today’s digital world,” said Nicko van Someren, CII Executive Director. “Its investment validates the importance of CII and is a great vindication of our work to security harden open source infrastructure to combat today’s complicated threat landscape.”

“Thales has implemented open source building blocks and standards both internally and for customers for two decades,” said Jon Geater, Chief Technology Officer at Thales e-Security. “Open Source in general and Linux in particular have become core to delivery of modern products and system, offering distinct utility, cost and performance advantages that we increasingly leverage to solve real-world problems. By joining CII we can bring our expertise and focus on security to bear on strengthening core open source infrastructure and working to eliminate the security weaknesses that can emerge from less well maintained or directed inclusion of Open Source technology into products and infrastructure in the Cloud and IoT era. This shared vision of Thales and the Linux Foundation is critical to Thales’s strategic development objectives, our ability to serve our customers, and to improving the state of the Connected World more generally.”

CII recently celebrated its three-year anniversary and announced a new governance structure to enable it to scale up its operations going forward.

About Thales e-Security

Thales e-Security is the leader in advanced data security solutions and services, delivering trust wherever information is created, shared or stored. We ensure that company and government data is secure and trusted in any environment – on premise, in the cloud, in data centers and in big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and meeting the highest standards of certification for high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales e-Security is part of Thales Group. www.thales-esecurity.com

About Thales

Thales is a global technology leader for the Aerospace, Transport, Defense and Security markets. With 64,000 employees in 56 countries, Thales reported sales of €14.9 billion in 2016. With over 25,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.

About The Core Infrastructure Initiative

CII is a multimillion-dollar project that funds and supports critical open source elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, Huawei, Intel, Microsoft, NetApp, NEC, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing preemptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For more information, please visit: https://www.coreinfrastructure.org/.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds.

OpenSSL Launches New Website to Organize Process, Seeks to Contact All Contributors

“This re-licensing activity will make OpenSSL, already the world’s most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software,” said Mishi Choudhary, Legal Director of Software Freedom Law Center (SFLC) and counsel to OpenSSL. “OpenSSL’s team has carefully prepared for this re-licensing, and their process will be an outstanding example of ‘how to do it right.’ SFLC is pleased to have been able to help the team bring this process to this point, and looks forward to its successful and timely completion.”

The website will aid the OpenSSL team’s efforts to contact everyone who has contributed to the project so far, which includes nearly 400 individuals with a total of more than 31,000 commits. The current license dates back to the 1990’s and is more than 20 years old. The open source community has grown and changed since then, and has mostly settled on a small number of standard licenses.

After careful review, consultation with other projects, and input from the Core Infrastructure Initiative and legal counsel from the SFLC, the OpenSSL team decided to relicense the code under the widely-used ASLv2.

“The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License,” said Nicko van Someren, Chief Technology Officer, the Linux Foundation. “Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products. OpenSSL has made huge progress in recent years, in part through support from the Linux Foundation’s Core Infrastructure Initiative, and this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world.”

The website contains a list of every email address mentioned in every single commit, a searchable database of authors, and the ability to send email and approve the license change. Because email addresses change, the website will also be updated over time to record email bounces and the names of people the project is still trying to reach.

“Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography,” said Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle. “OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community.”

“Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem,” said Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel. “This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure.”

Additional details on the decision to move to ASLv2 are available here. For progress updates on re-licensing, which is expected to take several months, check the website and project mailing lists.

To reach the OpenSSL team involved in this effort, email license@openssl.org. The team also asks that anyone who knows of other people who should be contacted, such as “silent collaborators” on code contributions, to also send email.

Grant Helps Fund New Developers Working on Debian GNU/Linux and FreeBSD to  Improve Software Security and Control

SAN FRANCISCO, November 11, 2016 — The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and developers to collaboratively identify, fund and improve the security of critical open source projects, today announced continued financial support for the Reproducible Builds Project.

CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing preemptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit:https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Grant Accelerates Work to Deliver OWASP ZAP as a Service, Making it Accessible to More Developers

SAN FRANCISCO, June 3, 2016 — The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects, today announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP).

This testing tool helps developers automatically find security vulnerabilities in web applications during development and testing. Both easy to use and freely available, it appeals to a wide range of users with varying security knowledge, even first-time testers.

CII’s sponsorship adds a full-time core developer to work on accelerating ZAP as a Service, which will allow ZAP to also be deployed as a long running, highly scalable, distributed service accessed by multiple users with different roles.

Recently voted the most preferred open source testing tool for the second time in three years by users and ToolsWatch readers, OWASP ZAP is one of the world’s most popular security tools. Hundreds of volunteers around the globe help to continually improve and enhance OWASP ZAP, according to Project Lead Simon Bennetts, who works for Mozilla as part of its security team.

“OWASP ZAP is a proven and powerful security tool that will gain even broader applicability with an increase in dedicated resources,” said Emily Ratliff, senior director of infrastructure security, The Linux Foundation. “CII is excited to help advance work that’s already underway to run ZAP in new, different ways, especially in partnership with like-minded organizations like OWASP and Mozilla as they work to ensure the Internet is a safe, global resource.”

OWASP ZAP joins projects like OpenSSL, OpenSSH, NTPd and other fundamental projects CII and its members invest in to encourage software development best practices and secure coding processes.

“The CII grant has had an immediate impact on OWASP ZAP. We’ve added a developer, improved coding best practices, set up a predictable release schedule and roadmap and performed audits to help future-proof our code,” said Bennetts.

“I’m very excited to see ZAP get the commitment of a full time developer,” said Michael Coates, former chairperson of the OWASP board, a not-for-profit that ensures ongoing availability and support for OWASP. “ZAP is a pivotal tool for use in assessing the security of a web site. As an open source project that is free for everyone to use, the commitment of development resources from CII will greatly advance its capabilities and usability for all.”

“With a service-based offering, ZAP will extend itself to a whole new level of maturity and usability that will amplify its value to the community,” said Matt Konda, chair of the OWASP Board of Directors. “Even more than that, ZAP continues to be a model for what OWASP can achieve.”

CII funds projects that help the open source community’s ability to deliver and maintain secure secure code. Additionally communication security is a critical need, so funding is also prioritized for projects that improve related, often at-risk services like embedded, IoT, mobile, server and web applications. To submit a grant proposal, apply online using the CII grants management solution. Funding decisions are made on a rolling basis, so grants are issued at any time.

About Core Infrastructure Initiative

CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit: https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.

Two Prominent Cyber Security Authorities Become New CII Advisory Board Members

Seattle, LinuxCon/CloudOpen North America, August 18, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced it is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software.

The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII.

Virtually every industry and business leverages open source, and is therefore more interconnected and dependent on it than ever before. Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem for both seasoned CIOs and nimble developers. The self-assessment, and the badges that will follow, are designed to be a simple, fairly basic way for projects to showcase their commitment to security and quality. The criteria is also meant to encourage open source software (OSS) projects to take positive steps with both in mind and to help users know which projects are taking these positive steps.

Established in 2014 in response to the Heartbleed vulnerability, CII is a multi-million dollar project that funds and supports critical elements of the global information infrastructure. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices.

“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”

Projects that follow best practices can still have vulnerabilities, other bugs, and other kinds of problems, but they should be a better position to prevent, detect and fix them.  For example, many practices suggest a multi-person review, which can help find otherwise hard-to-find vulnerabilities. Currently the criteria include general best practices combined with questions specific to security. The questionnaire asks if a project includes an OSS license; a public version-controlled source repository; a general mailing list; an automated regression test suite; and at least one static analysis tool applied to source code to look for vulnerabilities.

CII Adds Two New Advisory Board Members

Adam Shostack is a technologist, entrepreneur, author and game designer. He’s a member of the BlackHat Review Board and helped found the Common Vulnerabilities and Exposures (CVE) and many other things.  He’s been sharing knowledge about developing secure software since 1996.  While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of Microsoft’s SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game.  Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.” For more on Adam, see adam.shostack.org.

The second new CII advisory board member is Tom Ritter, Practice Director of Cryptography Services, part of NCC Group, where he performs application penetration testing and cryptographic analysis for multiple platforms and environments. He has spent several years leading application security assessments and research on everything from browsers to embedded cell towers, and before that worked as a developer in the financial services sector. Some of his public work can be seen at security conferences in Europe, North and South America and in managing NCC Group’s work with the Open Technology Fund and the Open Crypto Audit Project, comprising public reports on TrueCrypt, TorBrowser and several other applications. He is involved in IETF Working Groups for secure protocols, is a volunteer for the Tor Project, and works towards security, anonymity, and privacy on the Internet.

The CII also continues to provide funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.

Project Creates Methodology for Assessing Open Source Software in Need of Support 

San Francisco, July 9, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced The Census Project, a new program that analyzes popular open source projects to identify which ones are critical to Internet infrastructure and also most in need of additional support and funding.

The Heartbleed vulnerability in the open source software (OSS) program OpenSSL had widespread impact and serious ramifications. It led to the formation of the multi-million dollar Core Infrastructure Initiative backed by The Linux Foundation and industry leaders like Amazon Web Services, Facebook, Google, IBM, Microsoft.

The Census Project expands on the CII’s efforts to collaboratively identify and fund critical open source projects in need of assistance. It automates the collection and analysis of data on different open source projects, ultimately creating a risk score for each project based on the results. Projects with a higher ranking are especially in need of reinforcements and funding; and, as a result, CII will consider such projects priority candidates for funding. A high score means that the project may not be getting the attention that it deserves and that it merits further investigation.

“Measuring software security is an ongoing struggle that’s notoriously difficult given missing or messy data,” said Jim Zemlin, Executive Director at The Linux Foundation. “There’s no perfect set of metrics to guarantee that software is secure or not. The Census Project brings the power of the open source collaboration to help fill this massive gap, which will provide a useful barometer for assessing software from a security point of view.  We look forward to feedback on the effort in order to improve the census itself and subsequently the software that we all depend on for our privacy and security.”

With full source and data available on GitHub, developers and security experts are invited to participate in The Census Project, from experimenting with different metrics, providing corrected data, proposing new projects to include in the evaluation, and suggesting alternative formulas for combining the data. Anyone can issue a pull request with suggested changes from the most successful alternatives.

Who Oversees The Census Project and How is It Funded
The Census Project is coordinated by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA), a nonprofit organization that operates three federally funded research and development centers and exists to promote national security, preserve the public welfare, and advance scientific learning by analyzing, evaluating, and reporting on matters of interest to the United States Government.

Funded by CII and by the U.S. Department of Homeland Security Homeland Open Security Technology (DHS HOST) program for Georgia Tech Research Institute, IDA’s work is summarized in the new report “Open Source Software Projects Needing Security Investments,” which outlines past research and approaches used to calculate risk as well as Wheeler’s newest Census Project findings and methodology.

Supporting software for capturing data, sourced from the Black Duck Open HUB (formerly Ohloh), a free online community and public directory of free and open source software (FOSS), is written in Python by Samir Khakimov of IDA. The code is released under the open source MIT license.

Census Project Results 
The Census Project is examining a subset of Debian software packages, which are widely used, and other packages CII and Wheeler’s team identified as potentially concerning. Using this process, the project pinpointed software CII already funds, including OpenSSL, OpenSSH, NTP, and GnuPG.

“The Census Project aims to become an excellent framework for guiding CII funding to the projects most in need,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “CII members expect The Census Project to accelerate the process by which projects that are in need receive support and additional funds.”

How the Census Projects Works 
The Census Project automatically gathers important metrics, such as Common Vulnerabilities and Exposures (CVEs) filed and popularity, with a focus on less active projects. IDA and CII experts estimate a program’s exposure to attack using an algorithm to evaluate the data collected, which generates a list of projects that require more scrutiny. The algorithm also considers factors such as recent activity and if a project web site exists, to assign a risk index number ranging from 0-16.  Final results of this cumulative process are available online with the ability to sort software by risk score, CVE count, contributor count and popularity.

The Census Project is a key part of CII’s transition to move beyond point fixes toward more holistic, preemptive solutions for open source security. In addition to this new service, CII continues to fund key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, and face-to-face meeting coordination. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce, and VMware.

Additional Resources
The Census Project
The Census Project on GitHub
Census Project Short Summary
“Open Source Software Projects Needing Security Investments,” by David A. Wheeler, Project Leader (Institute for Defense Analyses) & Samir Khakimov (Institute for Defense Analyses)

About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

Linux Security Expert Emily Ratliff Hired to Oversee CII and Tackle Open Source Security 

San Francisco, June 22, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure. Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects.

CII’s funds will support a new open source automated testing project, the Reproducible Builds initiative from Debian, and IT security researcher Hanno Böck’s Fuzzing Project. Additionally, The Linux Foundation is announcing Emily Ratliff is joining The Linux Foundation as senior director of infrastructure security for CII. Ratliff is a Linux, system and cloud security expert with more than 20 year’s experience. Most recently she worked as a security engineer for AMD and logged nearly 15 years at IBM.

“I’m excited to join the Linux Foundation and work on the Core Infrastructure Initiative because improving the security of critical open source infrastructure is a bigger problem than any one company can tackle on their own,” said Ratliff. “I’m looking forward to working with CII members to more aggressively support underfunded projects and work to change the way the industry protects and fortifies open source software.”

The CII provides funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware.

New CII Grants and Projects include:

Reproducible Builds – For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.

Debian developers Holger Levsen and Jérémy Bobbio are steering a large-scale effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. CII’s $200,000 grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.

The Fuzzing Project – The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck’s effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.

False-Positive-Free Testing – Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer’s widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

Cuoq’s new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.

TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing $192,000 in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.

“While each project we’re announcing funding for today is quite different, each is critical to our global computing infrastructure and cybersecurity. These new grants, combined with the stellar addition of Emily, mean CII is well-positioned to address critical infrastructure vulnerabilities in the months and years ahead,” said Jim Zemlin, Executive Director of The Linux Foundation. “Emily’s extensive Linux security experience and standards involvement will be a major asset to CII’s work as we move beyond point-fixes toward more holistic solutions for open source security.”

More About Emily Ratliff

As senior director of infrastructure security, Ratliff will set the direction for all CII endeavors, including managing membership growth, grant proposals and funding, and newly created CII tools and services. She brings a wealth of Linux, systems and cloud security experience to her new role. One of the first two people to work on base systems security at IBM’s Linux Technology Center, Ratliff contributed to the first Common Criteria evaluation of Linux, gaining an in-depth understanding of the risk involved when adding an open source package to a system. She has gained expertise working with open standards groups, including the Trusted Computing Group and GlobalPlatform, and has been a Certified Information Systems Security Professional since 2004.

CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. A steering committee, which meets quarterly to review proposals, recently renewed annual grants for GnuPG, NTPd, OpenSSL, and OpenSSH to continue supporting developers and code audits. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

CII aims to extend funding to other, critical and underfunded projects

DUSSELDORF, Germany, LinuxCon and CloudOpen, October 13, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects that are in need of assistance, today issued a call for new grant proposals for open source projects seeking industry support.

While there are not formal requirements for proposals, grant requests should describe the history of the project, how it represents core Internet infrastructure and how the project would benefit from funding for developers, code audits or other measures. Grant proposals can be submitted on an ongoing basis. Decisions are made by CII’s twenty-member steering group, which is informed by an esteemed Advisory Board of community and industry experts.

CII earlier this year made initial grants to OpenSSL, NTP and OpenSSH. These grants have been used for code audits, hiring more developers and providing infrastructure.

“Our initial grants to OpenSSL, NTP and OpenSSH are already helping those core projects we all rely on,” said Linux Foundation Executive Director Jim Zemlin. “CII is now ready to expand the positive impact we hope to have on more open source projects that are critical to the Internet’s infrastructure.”

Grants proposals may be made online at https://www.linuxfoundation.org/programs/core-infrastructure-initiative

The members of the CII are Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Hitachi, Huawei, IBM, Intel, Microsoft, NEC, NetApp, Qualcomm, Rackspace, salesforce.com and VMware.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #

The Linux Foundation’s CII adds Hitachi and NEC to roster of companies working to identify and fund open source projects in need of assistance

Chicago, Ill. LINUXCON & CLOUDOPEN, August 20, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund open source projects that are in need of assistance, today announced new backers. Hitachi and NEC will work with existing CII members to collaboratively identify and support the critical infrastructure projects most in need of support.

These newest backers join other members of CII who include Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Rackspace, salesforce.com and VMware. Comments from the newest members are included below.

“Hitachi and NEC are prioritizing support for some of the world’s most important open source projects and will help the industry move from crisis-driven responses to a measured, proactive approach to funding projects that are most in need,” said Jim Zemlin, executive director at The Linux Foundation. “Open source projects are the foundation for most of today’s global infrastructure and need be supported by the companies and users who rely on them.”

CII provides funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, are tasked with identifying underfunded open source projects that support critical infrastructure and administering the funds through The Linux Foundation.

Projects currently receiving funding include Network Time Protocol, Open Crypto Audit Project (OCAP), OpenSSH and OpenSSL. Other projects are under consideration and will be funded as assessments are completed and budget allows.

The Advisory Board includes Linux kernel developer Alan Cox; security and cryptography researcher Matthew Green; Radio Free Asia’s Open Technology Fund Director Dan Meredith; professor of law and legal history at Columbia University and founder of Software Freedom Law Center Eben Moglen; Fellow at the Berckman Center for Internet & Society at Harvard Law School Bruce Schneier; Program Officer for Human Rights for MacArthur Foundation; Eric Spears; and Linux kernel developer Ted Ts’o.

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give these projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Hitachi

“The Core Infrastructure Initiative is going to address the needs in today’s software industry – a neutral, collaborative project that allows companies to support the work of today’s most critical open source projects,” said Susumu Okuhara, General Manager of Service Development Operation, IT Platform R&D Management Division, Hitachi. “We’re proud to be a part of this group and look forward to the impact it can have on the long-term health of our global infrastructure.”

NEC

“NEC has long valued Linux and open source software and supported their development,” said Naoki Hashitani, vice president, NEC. “CII gives us the opportunity to extend the support to open source projects and developers who might not be funded or supported if there were not initiatives like CII.”

Anyone can donate to the Core Infrastructure Initiative fund. To join or donate or find out more information about the Core Infrastructure please visithttps://www.linuxfoundation.org/programs/core-infrastructure-initiative

Additional Resources

News Release: Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects

News Release: The Linux Foundation’s Core Infrastructure Initiative Announces New Backers, First Projects to Receive Support and Advisory Board Members

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #