What is the relationship between the Core Infrastructure Initiative and OpenSSF?

The Core Infrastructure Initiative (CII) has officially ended and been replaced by the Open Source Security Foundation (OpenSSF). Many CII activities have transitioned to the OpenSSF. For example, the CII Best Practices Badge project has continued by transitioning to the OpenSSF Best Practices Working Group, and you can continue to contact the badging project through its badges mailing list. The CII research conducted on open source software security by Harvard continues as part of the OpenSSF Securing Critical Projects Working Group.

The CII website and materials are still available so that they can be used, enable transition, and provide useful historical information.

How can I join the discussion about the Core Infrastructure Initiative?

The CII has been replaced by the Open Source Security Foundation (OpenSSF). so you should instead join the discussions and activities of the OpenSSF.

The CII Best Practices Badge project has continued by transitioning to the OpenSSF Best Practices Working Group, and you can continue to contact the badging project through its badges mailing list. The CII research conducted on open source software security by Harvard continues as part of the OpenSSF Securing Critical Projects Working Group.

Historically, you would join us on #cii on irc.oftc.net and the cii-discuss mailing list, or join one of the initiative specific mailing lists:

How did I apply for a grant from CII?

Historically, the Core Infrastructure Initiative (CII) and its members came together to invest in core infrastructure, providing funding for fundamental projects like OpenSSL, OpenSSH, NTPd and others. Under the guidance of the Advisory Board, CII actively researched and identified new projects to improve the security of the internet. CII particularly looked for grant proposals which met the following criteria:

  1. CII funded projects should benefit the open source community’s ability to deliver and maintain secure code.
  2. Communication security is our most critical need; funding priority should be for projects that improve and harden critical at-risk services capabilities. Embedded, IoT, Mobile, Network, Server and Web Application are all target workloads.
  3. Practical solutions for today’s problems are a priority. Research, for example, should be prioritized towards applied topics that will impact the development community.
  4. Prefer community building projects over work for hire projects.

 To submit a grant proposal, a proposer create an account and fill out the proposal questionnaire in CII’s online grant management system. Proposers could consult with a CII staff member before initiating the proposal process, by filling out the webform on CII’s Contact page.

What was the Core Infrastructure Initiative?

The Core Infrastructure Initiative was a multi-million dollar project to fund and support critical elements of the global information infrastructure. It was organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. CII enabled technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

The first project to receive funds from the Initiative was OpenSSL, which received fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII, working with the Open Crypto Audit Project, retained the NCC Group to audit OpenSSL code. CII was formed as a response to the Heartbleed security crisis; however, the Initiative’s efforts was not restricted to crypto-related issues.

After it was founded, CII transitioned from only doing point fixes to also implementing holistic solutions for open source security. In 2020 the CII was replaced by the Open Source Security Foundation (OpenSSF).

Who was involved in CII and what role did they play?

Members of CII evaluated open source projects that are essential to global computing infrastructure and are experiencing under-investment. These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society. They also value and invest in developers and collaborative software development and want to support this important work.

How was CII structured?

A steering committee consisted of one representative from each CII member. Committee members were asked to:

  • Identify projects and developers in need to support
  • Approve specific funding commitments
  • Oversee project roadmaps
  • Reach consensus to add additional members (e.g. crypto experts, community leaders) to the advisory board.

An advisory board of open source developers and respected community members helped inform the steering committee.

Who was on the Advisory Board?

The CII Advisory Board was formed to inform the CII Steering Committee about the open source projects most in need of support. With esteemed experts from the developer, security and legal communities, the CII Advisory Board played an important role in prioritizing projects and individuals who are building the software that runs our lives. View All Advisory Board Members

How was CII funded?

CII was funded by donations from individuals and members of Initiative.

Why was The Linux Foundation the right forum for this funding?

The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Why was CII really needed?

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.

Why didn't you think about doing this before the lack of funding for OpenSSL resulted in Heartbleed?

We’re doing what we can now collectively to identify critical projects being overlooked or underfunded so that we drastically reduce the chances of this happening again.

Is it needed because open source code is low quality?

No. Open source development has historically produced high-quality and highly secure software. For instance, the Coverity Scan: Open Source Report study of software quality has shown that “open source software (for projects which have adopted development testing via the Coverity Scan service) not only has better than average quality as compared to the industry average, but in fact continues to raise the bar on what is considered good quality software for the entire industry”. But as all software has grown in complexity – with interoperability between highly complex systems now the standard– the need for developer support has grown.

Which projects were funded by CII?

During the first review of critical open source software projects, the CII Steering Committee prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding.

OpenSSL is receiving funds from CII for two, full time core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) has also received funding to conduct a security audit of the OpenSSL code base.

Subsequent rounds awarded grants to developers working on GnuPG, Frama-C, and the Fuzzing Project. Please see the full list of grants.

Other projects were under consideration and funded as assessments are completed and budget allows. People were asked to nominate projects by filling out this form.

How did CII pick which projects to fund?

CII started by nominating the projects which the Advisory Board and Steering Committee believed to have the greatest need. Projects could self nominate using the form on the contact page.

CII eventually focused on moving the initiative to the next level. CII began moving beyond the ad hoc nature of grants towards a strategic approach that engages in threat modeling with a targeted selection of projects to audit. CII’s job was to identify which projects need help to get stronger and to create incentives to ensure that the strong projects are following best practices. CII was using the Census project to prioritize the list of open source projects with which to engage. It was eventually decided that it would be more effective to create a different structure to address open source software security, based in part from lessons learned running the CII, so the CII was replaced by the Open Source Security Foundation (OpenSSF).

How did CII work with other organizations?

CII worked with the Open Crypto Audit Project, a group of world renowned cryptographers and security experts to target key projects to audit. NCC Group (formerly iSec) , one of the top security firms, was retained to audit OpenSSL. CII looked to partner with more organizations and individuals who want to advance the state of open source security.