OpenSSL needs corporate funding to avoid Heartbleed repeat

OpenSSL needs corporate funding to avoid Heartbleed repeat

Summary: Steve Marquess, OpenSSL Software Foundation president, has called for major users of OpenSSL to stump up and help fund a half dozen full-time OpenSSL employees, rather than the one it has now.


An outpouring of donations to the OpenSSL Software Foundation following last week's revelation of the Heartbleed OpenSSL flaw, has netted the team that produces a critical piece of internet infrastructure, a mere US$9,000.

Steve Marquess, OpenSSL Software Foundation president, said that even if the small donations arrived at the same rate indefinitely, it would not be enough for the project.

"It is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess said in a blog post.

Marquess said that the burden for supporting the project should not rely on individuals, but on corporations and governments.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."

Fortune 1,000 companies that use OpenSSL and never contribute to open source came in for special treatment from Marquess.

"I'm looking at...the ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications," he said.

"The ones who don't have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can't figure out how to use it.

"The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

Current funding arrangements for the foundation rely on support contracts, which start at US$20,000 for an annual contract and US$250 for hourly work, and donations which raise around US$2,000 annually, but most of the contract development work is focused on specific features, rather than improving OpenSSL overall.

Marquess said that project needed half a dozen full-time employees, at least, for the project to be better managed, and that a special personality was needed to work with current funding.

"It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smartphones, industry, government, everywhere. Knowing that you'll be ignored and unappreciated until something goes wrong," he said.

"The combination of the personality to handle that kind of pressure with the relevant technical skills and experience to effectively work on such software is a rare commodity, and those who have it are likely to already be a valued, well-rewarded, and jealously guarded resource of some company or worthy cause. "

Striking out at comments that OpenSSL made a sloppy mistake that broke the internet, Marquess said that it wasn't a mystery that overworked OpenSSL volunteers missed the bug, but that it hadn't happened more often.

"Given the widespread use of OpenSSL over many years it still has an excellent track record."

"Two years passed before Google with its impressive technical resources and talent (and shortly thereafter Codenomicon) found this issue."

The call from Marquess mirrors a similar call made by OpenBSD earlier this year.

In January, OpenBSD founder and leader Theo de Raadt warned that OpenBSD would shut down if the money to cover its electricity bill could not be found.

"Rather than the 'little people' funding our efforts, many of the things we do in OpenBSD are often incorporated into products made by multimillion-dollar companies," said de Raadt at the time.

"This is not a BSD vs GPL issue, it is about a plain lack of goodwill, something you cannot mandate via a licence. A lack of goodwill is effectively bad will."

Less than a week later, the project had raised CA$100,000, with Google and one Romanian BitCoin user being the largest donors.

The OpenBSD Foundation's funding campaign for 2014 currently sits above its CAD$150,000 target at CAD$153,000.

Fellow open source foundation, the GNOME Foundation, today announced that it would implement a budget freeze following the foundation's covering of the costs for internships for companies that had yet to pay for them.

Topics: Security, Open Source


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's sad

    How many open source groups, founded on ideals of good-will, find very little of it in the real world.

    People take what they can get for free, because very few people take the time to realize that it wasn't free for those who made it.
    luke mayson
  • What do you expect?

    If you educate people, organizations and governments to use open source software for free what do you expect?

    There are no true open source companies making money. If McDonalds gave away its food for free they would go bust.

    It is the same economics in the computer world, the only way to survive and grow is to make money.

    Additionally there has been a drop in people studying computing at University, it does not help if they see no future in computing if people keep banging the drum for open source software and they will not get paid for their work.

    If individuals want to create open source then that's fine, but don't complain if there is no money forth coming from people that take advantage of it, because its supposed to be free.
    • It's "Free" as in "Freedom", not "Freeload"

      And I think you'll find that RedHat is an Open Source company that makes money.
      • What kind of freedom?

        If the code is so complex that no one can understand it, who do you think will take advantage of that freedom?
        • That's a non-sequitur

          You might just as well ask what do closed source companies do with products that have code bases that they no longer understand or have become bit-rotten (but still sell...)

          That's nothing to do with Freedom, though.
          • It's not a non-sequitur

            In America, and to a degree in Europe, there is this ridiculous focus on "rights" that are completely meaningless.

            If a right cannot be reasonably exercised then it is effectively irrelevant.
          • How arrogant!

            So you're saying that no-one should be allowed to exercise a right simply because it's irrelevant to *you*?!?!

            Who on Earth do you think you are?
  • Hilarious

    "The ones who don't have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can't figure out how to use it."

    I guess we could all be mistaken for thinking free means free. I guess devaluing intellectual property to zero is not a desirable thing to do. Who might have guessed?

    It also shows that the code is so complex that having it free and open is meaningless if 99% of the programmers can't understand it and therefore can't change or audit it.
    • More people CAN audit code if that code is Open Source.

      If "99% of programmers can't understand it" then I'd rather the code were available to 1% of the programmers in the *World* than to 1% of the programmers in a proprietary company.
  • Need independent body

    Rather than throwing money at the OpenSSL team, there needs to be an independent group funded by the big companies to audit these critical projects.