Sovereign Tech Fund Invests in OpenSSL

abstract binary code image

The OpenSSL Foundation is pleased to announce a €405,888 investment from the Sovereign Tech Fund to enhance timing side-channel resistance in the BIGNUM code and address a backlog of user-submitted GitHub issues.

While most computers are typically handling 64bit numbers, OpenSSL’s code works with much larger numbers, which we call BIGNUMs. Depending on the exact size of the BIGNUM, the amount of time taken to process these very large numbers can vary. These small timing variations can pose potential security concerns. This issue was first raised in July 2018, and we’ve continued to receive security reports about it over the years, most commonly from academic researchers. Although OpenSSL developers have fixed individual issues, we’ve been unable to tackle the underlying problem because of its complexity, competing priorities, and limited engineering resources.

With this investment from Sovereign Tech Agency, we will be able to implement BIGNUMs with a “fixed width,” meaning that the amount of memory consumed (and, therefore, processing time) will always be the same, regardless of the value being stored. We also will address backwards compatibility with existing APIs that do not specify what the fixed width should be. Our work plan anticipates completion of this work within one year.

Simultaneously, the Foundation also will dedicate new engineering resources to address our GitHub issue backlog. Due to OpenSSL’s broad deployment, we get a large number of issues raised from many different users – on average, approximately 2.6 new issues every day, 7 days a week. Issues range from bug reports to requests for troubleshooting assistance, feature requests, and more. The number of requests has long outstripped the bandwidth of the development team, leading to a growing backlog of 1,732 open issues as of July 18, 2025.

Sovereign Tech Agency’s support will allow the Foundation to hire and train a new engineer to help close at least 600 of these historic issues while increasing our ability to respond to new ones. Our goal is to develop a plan and metrics to ensure the backlog is significantly reduced and remains manageable beyond this one-year period of funding.

Matt Caswell, President of the OpenSSL Foundation, shared: “This support from the Sovereign Tech Agency underscores the importance of OpenSSL as critical infrastructure and highlights the need for continued public investment. The Foundation is grateful for the trust placed in us and recognizes the responsibility we carry to help make the internet a more secure place for everyone, everywhere.”

Tara Tarakiyee, Lead Technologist at the Sovereign Tech Agency, said of this investment: “OpenSSL serves as critical digital infrastructure supporting countless applications and services worldwide, yet like many similar foundational open source projects, it has historically operated with limited resources. This investment in OpenSSL’s long-term security and maintainability shows Sovereign Tech Agency’s commitment to supporting essential open source maintainers and strengthening the digital infrastructure of the 21st century.“

We look forward to sharing updates as this work progresses. If you, too, are interested in helping make the internet more secure, consider a personal donation of any amount, a corporate sponsorship, or getting involved as a volunteer. We welcome everyone who believes in an internet that serves the public interest and upholds privacy and security as foundational rights.