How do I apply for a grant from CII?

The Core Infrastructure Initiative (CII) and its members have come together to invest in core infrastructure, providing funding for fundamental projects like OpenSSL, OpenSSH, NTPd and others. Under the guidance of the Advisory Board, CII is actively researching and identifying new projects to improve the security of the internet. CII is particularly looking for grant proposals which meet the following criteria:

  1. CII funded projects should benefit the open source community's ability to deliver and maintain secure code.
  2. Communication security is our most critical need; funding priority should be for projects that improve and harden critical at-risk services capabilities. Embedded, IoT, Mobile, Network, Server and Web Application are all target workloads.
  3. Practical solutions for today's problems are a priority. Research, for example, should be prioritized towards applied topics that will impact the development community.
  4. Prefer community building projects over work for hire projects.

 To submit a grant proposal please create an account and fill out the proposal questionnaire in CII's online grant management system. If you would like to consult with a CII staff member before initiating the proposal process, please fill out the webform on CII's Contact page.

Tom Ritter

Tom Ritter

Practice Director at NCC Group's Cryptography Services

Tom Ritter is a Practice Director at NCC Group's Cryptography Services, performing cryptographic analysis of protocols and implementations across multiple platforms and environments. He has spent several years leading application security assessments and research on everything from browsers to embedded cell towers, and before that worked as a developer in the Financial Services sector. Some of his public work can be seen at security conferences in Europe, North and South America and in managing NCC Group's work with the Open Technology Fund and the Open Crypto Audit Project, comprising public reports on TrueCrypt, TorBrowser and several other applications. He is involved in IETF Working Groups for secure protocols, is a volunteer for the Tor Project, and works towards security, anonymity, and privacy on the Internet.


Tooling is expensive. Building tools that open source projects can rely on is very expensive. But tooling scales and investments in tooling pay off in improved security and verifiability in multiple projects.

Census Project

The Census project is an experimental tool to help parse through the known data about popular open source projects to help identify the ones that should be tested to see if they need some help.

How does CII pick the projects to fund?

CII started by nominating the projects which the Advisory Board and Steering Committee believed to have the greatest need. Projects can self nominate using the form on the contact page.

CII is now focused on moving the initiative to the next level. CII is moving beyond the ad hoc nature of grants towards a strategic approach that engages in threat modeling with a targeted selection of projects to audit. CII's job is to identify which projects need help to get stronger and to create incentives to ensure that the strong projects are following best practices. CII is using the Census project to prioritize the list of open source projects with which to engage.

How will CII work with other organizations?

CII is working with the Open Crypto Audit Project, a group of world renowned cryptographers and security experts to target key projects to audit. NCC Group (formerly iSec) , one of the top security firms, has been retained to audit OpenSSL. CII is looking to partner with more organizations and individuals who want to advance the state of open source security.

Which Projects are Funded By CII?

During the first review of critical open source software projects, the CII Steering Committee prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding.

OpenSSL is receiving funds from CII for two, full time core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at

The Open Crypto Audit Project (OCAP) has also received funding to conduct a security audit of the OpenSSL code base.

Subsequent rounds awarded grants to developers working on GnuPG, Frama-C, and the Fuzzing Project. Please see the full list of grants.

Other projects are under consideration and will be funded as assessments are completed and budget allows. Nominate your favorite project by filling out this form.

Is it needed because open source code is low quality?

Open source development has historically produced high-quality and highly secure software. For instance, the most recent Coverity Scan: Open Source Report study of software quality has shown that "open source software (for projects which have adopted development testing via the Coverity Scan service) not only has better than average quality as compared to the industry average, but in fact continues to raise the bar on what is considered good quality software for the entire industry". But as all software has grown in complexity – with interoperability between highly complex systems now the standard– the need for developer support has grown.


Subscribe to Core Infrastructure Initiative RSS