Major Tech Companies Pledge Large Financial Commitments to Secure Open Source Softwares

The Linux Foundation and Open Source Security Foundation (OpenSSF) have announced a 10-point plan to enhance open source and supply chain security, marking a significant step forward in addressing security problems in the open source ecosystem.

The plan, which is part of a larger industry effort, follows a White House summit in January, convened by the National Security Council. The 10-point plan aims to find and fix vulnerabilities faster, such as the recent Log4j issue, to protect the U.S. from malicious cyberattacks.

Several leading technology companies, including Amazon, Ericsson, Google, Intel, Microsoft, and VMware, have pledged an initial tranche of more than $30 million in funding for this initiative. Google Cloud has also announced the launch of an Open Source Maintenance Crew, a dedicated team of engineers to boost the security of various open source projects.

The amount of funding tech companies are pledging is significant compared to previous investments in open source. Wealthy Silicon Valley companies can capitalize on open source repositories to build their products, with limited investment or support toward code creation.

GitHub is committed to advancing the efforts outlined during the meeting. The company plans to enable two-factor authentication on GitHub.com and npm, encourage financial backing for developers, and offer free security training through the GitHub Security Lab. GitHub CSO Mike Hanley stated that securing the open source ecosystem involves empowering developers and open source maintainers with tools and best practices.

Brian Behlendorf, general manager of the Linux Foundation's OpenSSF project, noted that the funding is a drop in the bucket compared to the cost of remediating a major vulnerability. He emphasized the need for ongoing efforts to maintain and secure open source projects.

The open source community, largely composed of volunteers, invests time and effort into creating code that serves as the foundation for much of modern computing. The industry's commitment to funding and supporting this community is a positive step towards ensuring the long-term sustainability and security of open source software.

In addition to the funding and initiatives announced, Google Cloud has launched a new dataset through the Open Source Insights project, giving developers and maintainers access to critical software supply chain information. This dataset will help improve transparency and collaboration within the open source community, further enhancing the security of open source software.

The industry's collective efforts to improve open source and supply chain security are a testament to the importance of this issue in the tech industry. As more companies pledge funding and resources, the future of open source security looks promising.

Major Tech Companies Pledge Large Financial Commitments to Secure Open Source Softwares