US Republicans query Linux Foundation about open-source security

April 4, 2018

On Monday, two US legislators, Republican legislators, and, respectively the chairman of the  and the chairman of the , co-wrote a public letter to , executive director of The , about open-source software (OSS) and improving its security. They requested Zemlin to answer their questions by no later than April 16.

The letter contained the following four questions; each of the first two has a further two follow-up questions.  Has the CII [] performed a comprehensive study of which pieces of OSS are most crucial to the "global information infrastructure"?  If not, does the CII plan to perform such a study? What would the CII need in order to do so?  Has the CII, or any other organizations, compiled any statistics on OSS usage?  If not, does the CII plan to perform such a study? What would the CII need in order to do so? </ol> <li>In your estimation, how sustainable and stable is the OSS ecosystem?</li> <li>Based on your response to the previous question, how can the OSS ecosystem be made more sustainable and stable?</li> </ol>

Walden and Harper exemplified, a "critical cybersecurity vulnerability" that allowed the hacking of websites and passwords, and millions of medical records in 2014. They also wrote that, in response to that vulnerability, The Linux Foundation established a multi-million dollar project, the Core Infrastructure Initiative, intended to improve the global infrastucture of such software.

The politicians noted large tech companies like Microsoft, Apple Inc., and respond more quickly to such critical vulnerabilities than distributors and developers of open-source software.

Open-source software is "publicly accessible" and usually freely-licensed for a wide range of use, such as modification and commercial uses. Walden and Harper also expressed praise toward open-source software and cited a 2015 survey conducted by Black Duck Software saying 78% of companies used such software.