Heartbleed OpenSSL Bug Reveals the True Cost of Open-Source Software
What checking that does happen can take years. That's what happened with OpenSSL, and is the cause of the Heartbleed bug. The obvious question here is, Why does something as critical to the safety of the Internet as OpenSSL get so little attention? The answer is equally obvious—money. Those large companies that use OpenSSL for their business haven't been contributing anything to its development. In fact, the few thousand dollars the OpenSSL project got last year came from individual donors worried about spying. What's worse, this problem with open source is no secret, as is detailed by USA Today and Yahoo Tech columnist Rob Pegoraro in his blog. What it boils down to is that everybody just assumes that open source is magically validated and must be OK. Unfortunately, sometimes it's not. It's the nature of such community development projects that sometimes big problems get missed, as Craig Timberg explains in The Washington Post. But rather than use the Heartbleed bug as a reason to indict open source as being unreliable, what really needs to happen is to use this as a wakeup call. All of those companies—from Yahoo to Dropbox—that used OpenSSL without doing anything to help create and improve the product are paying for that neglect now. Once they spend millions to fix the problem, perhaps they can spend a few thousand more to help fund development of this critical security library.But there's no reason why Google, Yahoo and others can't contribute to development. Sure, the code might be free, but it's not without cost. The companies that have been using the code for free and benefiting from it are now discovering the true cost of free, open-source software. But there is more than one way to pay for free software. You can pay a little up front to help make sure it's done right, is tested thoroughly and is stable, or you can pay a lot more later when you find out that it's none of those things. Now that these companies have discovered that higher cost of paying later, maybe they can save money in the long run by paying a little bit forward. To follow Wayne Rash on Google Plus, click here. To follow Wayne Rash on Twitter, click here.
Ultimately, the projects that come out of the open-source communities are excellent products, but to achieve excellence, they need more resources than they are getting. The people who donate their time and talent to create critical products such as OpenSSL have rent to pay, food to buy and families to support. They may want to spend their lives creating excellent software, but they can't without help.