Will Open-Source Money Prevent the Next Heartbleed?

NEWS ANALYSIS: The OpenSSL Software Foundation is now asking for money to help fund its efforts. Will it make a difference or is a different model needed?

The Heartbleed security vulnerability dominated tech headlines last week as a critical risk to the foundation of the Internet.

Heartbleed is a flaw within the open-source OpenSSL cryptographic library that is widely used on Linux servers and cloud services around the world. While OpenSSL is widely deployed, some have argued that it is not widely supported and that the open-source model itself might be at fault.

Truth is that open source is not about cost; it's about code that is freely available to consume and contribute to. In the case of OpenSSL, the flaw was found in part because the code is open and the mitigation also happened because everyone has the code. That type of review and remediation mechanism is just not possible with closed source code, where end users and enterprises must wait for the closed-source vendor to release an update for everyone.

As an example, take a look at how Microsoft handles security vulnerabilities in a closed source code product. Microsoft's Internet Explorer Web browser today is at risk from multiple zero-day flaws that were first publicly demonstrated at the Pwn2own hacking challenge in March. Hewlett-Packard, the sponsor of Pwn2own, only disclosed the flaw to Microsoft, so the risk isn't widespread.

Still, the simple fact of the matter remains that there are unpatched flaws. In the open-source model, you can't hide behind a closed door, which in my opinion, provides better security. Security in obscurity might work some of the time, but if you're secure in the open, you're likely better off.


The other big question raised against OpenSSL is the level of support it receives. This is a very serious question and one that open-source vendors do need to address. The way OpenSSL works is there are a very small number of core contributors and then there all the various Linux distributions and embedded vendors that consume and package OpenSSL for their own needs.

In the open-source development model, the Linux distributions will also contribute back fixes and even features as they come up. As such, it's difficult to measure the precise size of an active development community for OpenSSL.

That said, it is now very clear that OpenSSL development could benefit from dedicated full-time, properly funded developers. It's a need that Steve Marquess, co-founder and president of the OpenSSL Software Foundation (OSF), is now openly advocating for.

In a blog post, Marquess noted that the OSF typically receives only $2,000 a year in donations. Since news first broke about the Heartbleed bug, the OSF has raised $9,000 in donations.

"Even if those donations continue to arrive at the same rate indefinitely (they won't), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess wrote.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.