Members of the Linux Foundation have announced a fresh pledge of just under $4 million to the OpenSSL encryption standard along with several other notable open source programs, far exceeding its previous budget in an effort to shore up defenses from another attack like the massive Heartbleed bug which sent shockwaves through the security community just three short weeks ago.
As things stood pre-Heartbleed, OpenSSL received a whopping $2,000 per year in donation-backed funding, and was maintained on the daily by a sole programmer who wasn’t even on any sort of payroll to speak of.
With this in mind, it’s no surprise why the open-source encryption method was so easily hacked. Much like the war on terror, it’s only after the attack happens that the rest of the security community stands up and demand that preventative measures be paid more attention in order to keep the same hole from cracking open twice in a row.
The entirety of the funding won’t end up in the laps of the OpenSSL developers though, with much of the donation being spread out between dozens of different open source projects including OpenBSD, Linux, and the newest entry to the market, LibreSSL.
According to the president of the OpenSSL Software Foundation Steve Marquess, the few programmers currently strapped with the monolithic responsibility of keeping the world’s financial transactions and personal account information safe do so out of charity, subsidized primarily by the salaries they receive from their normal day jobs.
“Lacking any other significant source of revenue, we get most of ours the hard way: we earn it via commercial ‘work-for-hire’ contracts,” Marquess wrote. “The customer wants something related to OpenSSL, realizes that the people who wrote it are highly qualified to do it, and hires one or more of us to make it happen. For the OpenSSL team members not having any other employment or day job, such contract work is their only non-trivial source of income.”
It’s this sort of flippant dedication to the project which has caused OpenSSL to fall behind many other competitors in the field, and could be the primary reason why it was so easy for a bug so big to go undetected for as long as it did. With this new injection of capital, leaders of the Linux Foundation hope to stabilize a system which went far too long (two years and change, to be less than exact) without the proper channels of cash being funneled to the people and programmers who have taken up the task of keeping the rest of us safe from ourselves and the rest of the net at large.