What is the relationship between the Core Infrastructure Initiative and OpenSSF?

The Core Infrastructure Initiative (CII) has officially ended and been replaced by the Open Source Security Foundation (OpenSSF). The CII website and materials are still available so that they can be used and to enable transition.

How can I join the discussion about the Core Infrastructure Initiative?

Historically, you would join us on #cii on irc.oftc.net and the cii-discuss mailing list.

Or join one of the initiative specific mailing lists

However, most of this is no longer relevant since the CII is no longer active.

The CII Best Practices Badge project has continued by transitioning to the OpenSSF Best Practices Working Group, and you can continue to contact it through its badges mailing list.

How do I apply for a grant from CII?

The Core Infrastructure Initiative (CII) and its members have come together to invest in core infrastructure, providing funding for fundamental projects like OpenSSL, OpenSSH, NTPd and others. Under the guidance of the Advisory Board, CII is actively researching and identifying new projects to improve the security of the internet. CII is particularly looking for grant proposals which meet the following criteria:

  1. CII funded projects should benefit the open source community’s ability to deliver and maintain secure code.
  2. Communication security is our most critical need; funding priority should be for projects that improve and harden critical at-risk services capabilities. Embedded, IoT, Mobile, Network, Server and Web Application are all target workloads.
  3. Practical solutions for today’s problems are a priority. Research, for example, should be prioritized towards applied topics that will impact the development community.
  4. Prefer community building projects over work for hire projects.

 To submit a grant proposal please create an account and fill out the proposal questionnaire in CII’s online grant management system. If you would like to consult with a CII staff member before initiating the proposal process, please fill out the webform on CII’s Contact page.

What is the Core Infrastructure Initiative?

The Core Infrastructure Initiative is a multi-million dollar project to fund and support critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

The first project to receive funds from the Initiative is OpenSSL, which received fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII, working with the Open Crypto Audit Project, has retained the NCC Group to audit OpenSSL code. CII was formed as a response to the Heartbleed security crisis; however, the Initiative’s efforts will not be restricted to crypto-related issues.

CII is transitioning from point fixes to holistic solutions for open source security.

Who is involved in CII and what role do they play?

Members of CII evaluate open source projects that are essential to global computing infrastructure and are experiencing under-investment. These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society. They also value and invest in developers and collaborative software development and want to support this important work.

How is CII structured?

A steering committee consists of one representative from each CII member. Committee members:

  • Identify projects and developers in need to support
  • Approve specific funding commitments
  • Oversee project roadmaps
  • Reach consensus to add additional members (e.g. crypto experts, community leaders) to the advisory board.

An advisory board of open source developers and respected community members helps inform the steering committee.

Who is on the Advisory Board?

The CII Advisory Board was formed to inform the CII Steering Committee about the open source projects most in need of support. With esteemed experts from the developer, security and legal communities, the CII Advisory Board plays an important role in prioritizing projects and individuals who are building the software that runs our lives. View All Advisory Board Members

How is CII funded?

CII is funded by donations from individuals and members of Initiative.

Why is The Linux Foundation the right forum for this funding?

The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Why is CII really needed?

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.

Why didn't you think about doing this before the lack of funding for OpenSSL resulted in Heartbleed?

We’re doing what we can now collectively to identify critical projects being overlooked or underfunded so that we drastically reduce the chances of this happening again.

Is it needed because open source code is low quality?

Open source development has historically produced high-quality and highly secure software. For instance, the most recent Coverity Scan: Open Source Report study of software quality has shown that “open source software (for projects which have adopted development testing via the Coverity Scan service) not only has better than average quality as compared to the industry average, but in fact continues to raise the bar on what is considered good quality software for the entire industry”. But as all software has grown in complexity – with interoperability between highly complex systems now the standard– the need for developer support has grown.

Which projects are funded by CII?

During the first review of critical open source software projects, the CII Steering Committee prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding.

OpenSSL is receiving funds from CII for two, full time core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) has also received funding to conduct a security audit of the OpenSSL code base.

Subsequent rounds awarded grants to developers working on GnuPG, Frama-C, and the Fuzzing Project. Please see the full list of grants.

Other projects are under consideration and will be funded as assessments are completed and budget allows. Nominate your favorite project by filling out this form.

How does CII pick which projects to fund?

CII started by nominating the projects which the Advisory Board and Steering Committee believed to have the greatest need. Projects can self nominate using the form on the contact page.

CII is now focused on moving the initiative to the next level. CII is moving beyond the ad hoc nature of grants towards a strategic approach that engages in threat modeling with a targeted selection of projects to audit. CII’s job is to identify which projects need help to get stronger and to create incentives to ensure that the strong projects are following best practices. CII is using the Census project to prioritize the list of open source projects with which to engage.

How will CII work with other organizations?

CII is working with the Open Crypto Audit Project, a group of world renowned cryptographers and security experts to target key projects to audit. NCC Group (formerly iSec) , one of the top security firms, has been retained to audit OpenSSL. CII is looking to partner with more organizations and individuals who want to advance the state of open source security.