Lawmakers press Linux on security of open-source software

Republican leaders of the House Energy and Commerce Committee are pressing the nonprofit Linux Foundation on how the tech community can better mitigate vulnerabilities in open-source software.

Rep. Greg Walden (R-Ore.), the committee chairman, and Rep. Gregg Harper (R-Miss.) sent a letter to the Linux Foundation on Monday, citing the critical “Heartbleed” vulnerability discovered in 2014 that impacted thousands of websites and allowed hackers to steal user passwords.

{mosads}“As the last several years have made clear, OSS [open-source software] is such a foundational part of the modern connected world that it has become critical cyber infrastructure,” the lawmakers wrote. “As we continue to examine cybersecurity issues generally, it is therefore imperative that we understand the challenges and opportunities the OSS ecosystem faces, and potential steps that OSS stakeholders may take to further support it.” 

The lawmakers emphasized that the wide use of open-source software by businesses “creates widespread, distributed, and common points of potential risk across organizations when OSS vulnerabilities are found.” 

Open-source software is built with code that is publicly accessible, in contrast to software developed by companies like Microsoft and Apple that relies on code that only the developers have viewed. The Linux Foundation is a nonprofit organization founded in 2000 to promote and advance open-source tech projects.

“Companies like Microsoft, Adobe, or Apple have the processes and procedures in place to quickly address these vulnerabilities, and—more importantly—the time and funding to do so,” the lawmakers wrote Monday. “This is not always the case for OSS vulnerabilities, as OSS creators or maintainers may be globally-located volunteers, who often have unrelated full-time employment and may be uncompensated for their OSS work.”

Following the revelation of the Heartbleed vulnerability, Linux launched what is known as the Core Infrastructure Initiative, a project to fund and support critical open-source software development.

The Republicans asked Linux executive director Jim Zemlin whether the foundation has studied which pieces of open-source software are “most critical” to global computer networks and whether it compiled statistics on the usage of open-source software. 

The lawmakers also asked Linux to measure “how sustainable and stable” the open-source ecosystem is, and what steps could be taken to make it more resilient.