For security alone, we could try paying open source projects properly

Instead of running around like headless chooks because a widely used piece of open source software is maintained by volunteers and has a massive hole in it, imagine paying someone to look after such software properly.
Written by Chris Duckett, Contributor
Image: Getty Images

It's been an interesting couple of weeks at the intersection of Open Source Avenue and Cybersecurity Way, first with the situation around Log4j, and then this week a JavaScript developer had enough and went rouge.

Excuse me while I clutch this set of pearls very tightly as the term open source vulnerability is used, because where it seems governments think there is a pressing cyber issue, it is more often one of finances.

Particularly as a one person project, creating under an open source licence is great for when starting out, and it is barely noticed and your users and fellow developers can help make the software better. But when multinationals and governments freeload from it, I have some sympathy for a developer that decides supporting Fortune 500 companies for free is a bridge too far.

While the methodology of injecting an infinite loop and zalgo text might have been cooked, what decent size organisation was pulling down and executing code without either inspecting it, or running it in a test environment first? It sucks that a number of Node.js apps fell over, but thankfully it wasn't doing anything malicious.

Affected organisations should be considering this as a free cyber and software supply chain checkup, rather than yelling even more at a developer that is done with being yelled at.

There's a reason XKCD 2347 has received a bigger workout than usual in recent months, and it is because it exposes the truth of the matter.

"I worked for the Linux Foundation on the Core Infrastructure Initiative supporting OpenSSL and other projects," says one comment on the relevant Explain XKCD site.

"The one that scared me was Expat the XML parser maintained by two people on alternate Sunday afternoons assuming no other distractions. We did get funding for a test suite."

I have little reason to doubt this comment, because this is how the stacks that power the modern internet actually work. Deep in each stack is a weekend dependency.

While the tech giants rake in billions each quarter, somewhere there is a well-used library that doesn't receive a penny from these titans of industry. It's not illegal, but it is a bit rich on the companies' part to take advantage of free labour like this.

At this juncture, I thought an analogy about a car manufacturer using volunteer labour to make car parts would be apt, but then realised that with all those car entertainment systems, there's got to be some open source libraries or applications in there somewhere. Such is the world of the 2020s.

Last week, the debate reached the point where it was labelled as a "national security concern" in the US, and Google and IBM wanted a list of critical open source projects. While both companies have been among the best corporate supporters and funders of open source, that list really should be put straight into their respective accounting systems and sufficient payments made each month.

Unfortunately, the times at the intersection of Open Source Avenue and Cybersecurity Way have a sense of repetition.

It was almost eight years ago during the Heartbleed flaw that OpenSSL said it was time for major users to stump up and help fund projects.

At the time, OpenSSL had one full-time employee, and an outpouring of donations in the week afterwards had netted a mere $9,000.

"It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smartphones, industry, government, everywhere. Knowing that you'll be ignored and unappreciated until something goes wrong," OpenSSL Software Foundation president Steve Marquess said.

"The combination of the personality to handle that kind of pressure with the relevant technical skills and experience to effectively work on such software is a rare commodity, and those who have it are likely to already be a valued, well-rewarded, and jealously guarded resource of some company or worthy cause."

OpenSSL would eventually get some funding from the Core Infrastructure Initiative, which would be superseded by the Open Source Security Foundation, but I doubt either of those two organisations would have considered a node.js module or a Java logging framework as critical infrastructure worthy of funding and auditing.

Funding needs to be go beyond just the term "critical" and move more towards "widely-used but underfunded", because with the right vulnerability, suddenly any previously innocuous piece of software can become critical.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. A member writes it of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. 


Editorial standards