The Linux Foundation announced Wednesday a bevy of big-name tech and financial players pooled $10 million in donations for its Open Source Security Foundation (OpenSSF).
Donors include major names in open source and software development, like Google, Microsoft, Red Hat and IBM, as well as some less obvious backers, like JPMorgan Chase, Morgan Stanley and Fidelity.
"These groups know their stacks are made up of largely open-source software so they're looking to pay it forward to these indirect dependencies," Brian Behlendorf, general manager of OpenSSF told SC. "And they know that the software they consume either from a commercial vendor or the stuff they create themselves is made up of open source. By improving the baseline of open source, they're going to get better quality code in the end."
OpenSSF has a wide portfolio of security activities, everything from an automated software Security Scorecard to vulnerability research, to training and standards programs, to Salsa, a new software supply chain project.
The $10 million is made up of donations from Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, VMware, Anchore, Apiiro, AuriStar, Deepfence, Devgistics, GitLab, Nutanix, TideLift and Wind River.
Behlendorf said that the money would fund both long-term projects in the short-term and support ones that will create broad impacts through one-time funding — like rewriting common libraries in memory-safe languages like Rust.
"I think we'll see other large end-user organizations join OpenSSF for the same reason as these donors," Jim Zemlin, executive director at the Linux Foundation, told SC. "This is one of a set of risk mitigation practices for the modern software world and as major consumers of that they have as much of a stake in making sure it's built right as the vendors in this ecosystem and the major platforms.
