Application security

Linux Foundation announces $10 million cross-industry investment in Open Source Security Foundation

Oracle CEO Larry Ellison delivers a keynote address at the 2006 Oracle OpenWorld conference Oct. 25, 2006, in San Francisco.  (Photo by Justin Sullivan/Getty Images)

The Linux Foundation announced Wednesday a bevy of big-name tech and financial players pooled $10 million in donations for its Open Source Security Foundation (OpenSSF).

Donors include major names in open source and software development, like Google, Microsoft, Red Hat and IBM, as well as some less obvious backers, like JPMorgan Chase, Morgan Stanley and Fidelity.

"These groups know their stacks are made up of largely open-source software so they're looking to pay it forward to these indirect dependencies," Brian Behlendorf, general manager of OpenSSF told SC. "And they know that the software they consume either from a commercial vendor or the stuff they create themselves is made up of open source. By improving the baseline of open source, they're going to get better quality code in the end."

OpenSSF has a wide portfolio of security activities, everything from an automated software Security Scorecard to vulnerability research, to training and standards programs, to Salsa, a new software supply chain project.

The $10 million is made up of donations from Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, VMware, Anchore, Apiiro, AuriStar, Deepfence, Devgistics, GitLab, Nutanix, TideLift and Wind River.

Behlendorf said that the money would fund both long-term projects in the short-term and support ones that will create broad impacts through one-time funding — like rewriting common libraries in memory-safe languages like Rust.

"I think we'll see other large end-user organizations join OpenSSF for the same reason as these donors," Jim Zemlin, executive director at the Linux Foundation, told SC. "This is one of a set of risk mitigation practices for the modern software world and as major consumers of that they have as much of a stake in making sure it's built right as the vendors in this ecosystem and the major platforms.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.