If we want to prevent Heartbleed-like bugs from happening again, OpenSSL needs money
Steve Marquess, one of the founding partners of OpenSSL Software Foundation is stepping out and expressing his personal views after the Heartbleed scandal brought attention to the open source nature of the service.While many have slammed OpenSSL saying that this is what you get when you trust a wide range of people with such an important tool, Marquess finally admits that they need support from companies and the government for a small team of full-time workers.
“As has been well reported in the news of late, the OpenSSL Software Foundation (OSF) is a legal entity created to hustle money in support of OpenSSL. By ‘hustle’ I mean exactly that: raising revenue by any and all means,” says Marquess, explaining that they get about $2,000 in donations.
In the past week, he admits that there have been some two hundred donations managing to raise some $9,000.
Even so, this is nowhere near enough the sum that the OpenSSL program needs to survive and thrive and make sure that bugs such as Heartbleed never happen again.
“While OpenSSL does ‘belong to the people’ it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted,” the co-founder says.
Aside from good will, OpenSSL also makes money from contracts for consulting work, which gets them about $250 per hour. “I could sell more hours at that rate if only there were more hours to sell,” Marquess explains, pointing out to just how sought after the experts are.
Alas, not even this can help the organization get enough money to sustain workers, to offer them proper salaries Those who work on OpenSSL don't do this for the money or fame; they do it out of pride for their job and from a sense of responsibility for something they believe in.
That being said, the organization needs active support from the world’s corporation and governments, as well as from anyone willing to lend a helping hand, so they can hire a proper team to handle OpenSSL without having to hustle commercial work just so there’s a cash flow in the foundation.
The Heartbleed bug has affected about two thirds of the world’s websites and it was caused by a basic programming error. Had there been more eyes looking at the code, it would most likely have been detected and fixed before it reached distribution.