What is the Core Infrastructure Initiative?

The Core Infrastructure Initiative is a multi-million dollar project to fund and support critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

The first project to recieve funds from the Initiative is OpenSSL, which received fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII, working with the Open Crypto Audit Project, has retained the NCC Group to audit OpenSSL code. CII was formed as a response to the Heartbleed security crisis; however, the Initiative’s efforts will not be restricted to crypto-related issues.

CII is transitioning from point fixes to holistic solutions for open source security.

Who is involved in CII and what role do they play?

Members of CII evaluate open source projects that are essential to global computing infrastructure and are experiencing under-investment. These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society. They also value and invest in developers and collaborative software development and want to support this important work.

How is CII structured?

A steering committee consists of one representative from each CII member. Committee members:

  • Identify projects and developers in need to support      
  • Approve specific funding commitments
  • Oversee project roadmaps
  • Reach consensus to add additional members (e.g. crypto experts, community leaders) to the advisory board.

An advisory board of open source developers and respected community members helps inform the steering committee.

Who is on the Advisory Board?

The CII Advisory Board was formed to inform the CII Steering Committee about the open source projects most in need of support. With esteemed experts from the developer, security and legal communities, the CII Advisory Board plays an important role in prioritizing projects and individuals who are building the software that runs our lives. View All Advisory Board Members

How Is CII Funded?

CII is funded by donations from individuals and members of Initiative. 

Why is The Linux Foundation the right forum for this funding?

The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Why is CII really needed?

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.

Is it needed because open source code is low quality?

Open source development has historically produced high-quality and highly secure software. For instance, the most recent Coverity Scan: Open Source Report study of software quality has shown that "open source software (for projects which have adopted development testing via the Coverity Scan service) not only has better than average quality as compared to the industry average, but in fact continues to raise the bar on what is considered good quality software for the entire industry". But as all software has grown in complexity – with interoperability between highly complex systems now the standard– the need for developer support has grown.

Which Projects are Funded By CII?

During the first review of critical open source software projects, the CII Steering Committee prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding.

OpenSSL is receiving funds from CII for two, full time core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) has also received funding to conduct a security audit of the OpenSSL code base.

Subsequent rounds awarded grants to developers working on GnuPG, Frama-C, and the Fuzzing Project. Please see the full list of grants.

Other projects are under consideration and will be funded as assessments are completed and budget allows. Nominate your favorite project by filling out this form.

How does CII pick the projects to fund?

CII started by nominating the projects which the Advisory Board and Steering Committee believed to have the greatest need. Projects can self nominate using the form on the contact page.

CII is now focused on moving the initiative to the next level. CII is moving beyond the ad hoc nature of grants towards a strategic approach that engages in threat modeling with a targeted selection of projects to audit. CII's job is to identify which projects need help to get stronger and to create incentives to ensure that the strong projects are following best practices. CII is using the Census project to prioritize the list of open source projects with which to engage.

How will CII work with other organizations?

CII is working with the Open Crypto Audit Project, a group of world renowned cryptographers and security experts to target key projects to audit. NCC Group (formerly iSec) , one of the top security firms, has been retained to audit OpenSSL. CII is looking to partner with more organizations and individuals who want to advance the state of open source security.