It has been three years since the Heartbleed bug plagued the Internet, and the Linux Foundation’s Core Infrastructure Initiative (CII) was formed. As the organization embarks on the next three years, it is making new structure funding decisions, and hoping to do “less fire-fighting” and “more strategizing.”

The CII is introducing new membership levels; a smaller, elected Steering Committee; and a new Investment Committee. The new changes are designed to make sure the organization is addressing the needs of its members and providing a more direct representation of what it is going to invest in. Under the new structure, each member will be able to vote on each decision about whether or not a project gets funded.

“We make a technical assessment using our technical advisory board, and then we make a business assessment using the investment committee to determine whether this is an investment we want to make,” said Nicko van Someren, CTO of the Linux Foundation who is largely focused on the CII.

van Someren explains when the organization started, the industry was in a state of panic because it was trying to address the Heartbleed bug. Now that some time has passed and the CII has worked on making OpenSSL and other critical open-source software projects significantly more secure, the organization is beginning to turn its focus on how to prevent that panic in the first place.

“It is not that we are going to stop doing one thing, and start doing something else. It would be a mistake to think about it that way. We are not quite declaring victory on what we set out to do, but to an extent we have stemmed the bleeding,” van Someren said. “Let’s take a step back and work out what we need to do to achieve the long term goals because we don’t have to panic as much anymore.”

van Someren explained in the beginning, the CII took a heavy tactical approach. Going forward, he hopes to have a mix between both strategic and tactical approaches. The organization will continue to invest directly into projects that have security vulnerabilities, but it also wants to address how to ensure new open-source software being developed is more secure to start with. That will include building up the awareness of open-source software security, and providing the tools developers need to apply a more rigorous process.

“We still have a lot more to do. That is the thing about security…we are never really going to be done. This is a process. We are making significant inroads into improving the security process in a lot of the most important open-source projects.”

More information about the CII’s accomplishments over the last three years is available here.