The OpenSSL Project is a collaborative effort driven by a dozen volunteers. They are responsible for developing, maintaining, securing, and managing the OpenSSL software stack. As everyone found out last week, their work is extremely important to all businesses transacting over the Internet. All major technology companies use OpenSSL, including the CDNs, hardware vendors and software vendors. OpenSSL supports billions of dollars in transactions, if not tens of billions, yet the foundation is still severely underfunded.
The reason heartbleed flaw happened in the first place is because the project team lacks the funds to pay for security audits on the OpenSSL software stack. With such an important tool that is critical to the success of the Internet, why doesn’t someone like Google, Facebook, Cisco or IBM buy them up, and leave them to operate as they are now, but give them the funds to secure the code. I’m sure that’s cheaper than having to go through this fiasco a second time. Why Doesn’t Google or Facebook buy OpenSSL Project