When the Heartbleed bug was found in popular encryption protocol OpenSSL this month, it left many companies scrambling to patch servers and protect user data. Yahoo was hit particularly hard, with security researchers claiming to be able to harvest Yahoo Mail usernames and passwords due to the glitch, and several other Yahoo products being affected.
But when the Linux Foundation was coordinating the Core Infrastructure Initiative — a program designed to fund and maintain open-source projects that make up the digital infrastructure of the web which it bills as "the industry’s collective response to the Heartbleed crisis" announced today — Yahoo didn't get looped in.
Yahoo has had a pretty rough year on the security and stability front. Besides Heartbleed, it has suffered a series of setbacks, including a multi-day e-mail outage that affected about 1 million users and the revelation that its lagging encryption practices had left some of its user data more vulnerable to National Security Agency snooping than that of other major tech companies.
But the company has been working hard to bounce back — rolling out encryption by default for Web mail users (albeit with some hiccups) and securing its data center links, as well hiring well respected security researcher Alex Stamos as their new chief information security officer.
And, of course, the company remains a major player in the tech scene. According to comScore, Yahoo sites receive massive amounts of traffic and the company has the second-most-used e-mail service in the world. So why did it get left out of the Core Infrastructure Initiative?
According to Amanda McPherson, chief marketing officer at the Linux Foundation, it was an oversight. "We unfortunately have not been able to reach every company in the industry," she says.
McPherson added that the Foundation hopes to bring in more companies, including Yahoo. The Foundation would "love to have" Yahoo participate in the coming weeks, McPherson said — but it just didn't have any current contacts within the company.
For its part, Yahoo says they're eager to support the open-source community and help prevent the next Heartbleed disaster. "Yahoo’s a huge supporter of open source, and we have been since our founding," according to a Yahoo spokesperson. "We've helped launch global open-source projects, including Hadoop, and we'll continue to support these projects going forward."
But while Yahoo is "very interested" in joining open-source efforts that would help prevent vulnerabilities like Heartbleed, the company is still considering its options, the spokesperson said. "Right now, there are a lot of competing theories about the best way forward," they said, adding that they believe the tech community needs to support a diverse group of open-source projects. "We’re evaluating them and determining the most effective way for our company to participate.”