
“In a typical year the OpenSSL project receives about US $2000 in donations” - blazespin
https://groups.google.com/forum/m/?authuser=0#!topic/mailing.openssl.users/-P4T62ml_1I
======
patio11
Note the almost painfully predictable response to the thread. Instead of
focusing how OpenSSL can pull in, let me pick a number, $800k in revenue in
the next year, they immediately zero in on $70 of Paypal fees as the
organization's leading financial problem.

~~~
emilsedgh
You make it sound so easy. Any suggestions you've got regarding $800K in
revenue in the next year? :)

~~~
amalcon
Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club
should need to pay $10k/month (though of course membership in this club is
still offered at OpenSSL's sole discretion, and they would be allowed to waive
this fee).

Google, Amazon, Facebook, and Akamai (off the top of my head) will each pay
that without batting an eye; that's $480k/yr. right there. I imagine they
could probably get some banks in that club as well.

~~~
cperciva
_Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club
should need to pay $10k/month_

If I find a vulnerability in code from a project which is pulling this sort of
stunt, I will make sure I share details with distributors only under the
strict condition that they are not allowed to tell the project about it.

Responsible disclosure usually means "start by telling the authors", because
usually the authors know who needs to be contacted and will do that
responsibly. If they're just going to sell off exploits to the highest
bidders, they should have no role in the disclosure process.

~~~
SoftwareMaven
I'm not even sure where this comment came from, and how it applies. This isn't
about delaying details to anybody (or, worse, hiding details from anybody),
it's about providing details earlier to a group of people who have a strong
enough vested interest that they are willing to pay for it and have been
vetted as trustworthy enough to allow it.

Given how important OpenSSL is to the web's infrastructure (and the many
companies who utilize it), I think there would be value in ensuring it has
appropriate resources to fulfill that duty. This idea may not be a perfect
solution, but calling it a "stunt" is hyperbole, IMO.

~~~
phil21
>This isn't about delaying details to anybody

Yes it is. If you disclose early to a select group, you are by definition
delaying details to everyone else.

The paid early disclosure stuff used to exist all over the place, and it was a
joke in terms of it being immediately leaked to those in the know.

~~~
SoftwareMaven
Except you can't give security vulnerability details to everybody until you
have a patch ready (and I certainly wouldn't argue that you should allow
paying for earlier access to the patch). On the other hand, when you have a
business relationship with somebody, with non-disclosure agreements in place,
you can tell them more details much earlier.

------
AaronFriel
What other people have said in comments is completely right: OpenSSL, or maybe
just this Steve Marquess guy, is missing the forest for the trees. Or in this
case, the six figure donations for the pennies. OpenSSL could raise more money
in a few months of pan handling in a major city than they raise in a year[1].

A student group that I will soon be President of at the University of Northern
Iowa[2] received more in donations and financial support. Our student group is
not the best managed, but we care a lot about large sponsors, keeping good
relations with them, and making asks that matter.

If someone told me that panhandlers and Midwest student organizations are out-
fundraising OpenSSL, I would scoff and laugh. OpenSSL? That's mission-critical
software running on nearly every PC and post-PC device _in the world_. You
know what OpenSSL reminds me of in this respect? SQLite.

SQLite charges $75,000 for consortium members[3] to have 24/7 access to phone
support direct to developers, guaranteed time spent on issues that matter to
them, and so on.

The fact that this doesn't exist for OpenSSL is an embarrassment to project
management. I made an offer in that email thread to try to raise $200,000 for
OpenSSL by the end of 2014, and I'm repeating it here for visibility:

If you are an employee of a corporation that wants to donate to directly
support OpenSSL development by funding staff time, send me an email right now:
friela@uni.edu

If you are in the OpenSSL foundation, send me an email right now and I will
try to solve your problem by finding a phone number at every major OpenSSL
using corporation and making an ask. Want me to do that? Send me an email
right now: friela@uni.edu

[1]
[http://www.ncbi.nlm.nih.gov/pmc/articles/PMC121964/](http://www.ncbi.nlm.nih.gov/pmc/articles/PMC121964/)

[2] [http://www.unifreethought.com](http://www.unifreethought.com)

[3]
[http://www.hwaci.com/sw/sqlite/prosupport.html](http://www.hwaci.com/sw/sqlite/prosupport.html)

[4] [https://sqlite.org/consortium.html](https://sqlite.org/consortium.html)

~~~
wfn
fwiw, they actually try to do contracting/consulting and they do have sponsor
programs (just fyi):

[http://www.openssl.org/support/donations.html](http://www.openssl.org/support/donations.html)

[http://www.openssl.org/support/funding/contract.html](http://www.openssl.org/support/funding/contract.html)

[http://www.openssl.org/support/consulting.html](http://www.openssl.org/support/consulting.html)

[http://www.openssl.org/support/acknowledgments.html](http://www.openssl.org/support/acknowledgments.html)

~~~
AaronFriel
>
> [http://www.openssl.org/support/acknowledgments.html](http://www.openssl.org/support/acknowledgments.html)

And they're not selling Qualys on future contributions. They got their logo
there, and it seems like it'll stay there forever. They are a "Past
Contributor", and they get what could be prime corporate advertising space to
security engineers for free every year they don't contribute. I can't tell if
they're a current contributor, or how much it would cost to put $MY_COMPANY
logo there. And I don't know why I would care, because it appears OpenSSL
doesn't seem to care about who is paying year-to-year.

It says "Past or Current". That should just say "Current". Anyone who isn't a
current contributor should get their name taken off. Also, where is Google?
Apple? Microsoft? IBM? Oracle? Juniper? None of those names have logos up
there. That should be fixed. Has anyone ever cold-called those companies and
asked to talk to their sponsorship and corporate contributions groups?

------
Nelson69
The donations are one aspect. I'm on the dev mailing list, been lurking for a
few years, I've used openssl for various things for years and I have had an
interest in when some newer TLS standards were going to be supported. It's a
pure bazaar as best I can tell. It's nearly magical how releases happen. I
don't know if there is a secret mailing list for the core developers or some
IRC channel or something, people post patches to the list, there are some
occasional questions and answers, it's insanely low volume for a project as
popular as it is. Every now and again some big patches with a lot of new stuff
drop. Every now and again someone ponys up some big money and FIPS
certification happens. It just sort of keeps meandering a long without a a
benevolent dictator.

------
tptacek
A sponsored bug bounty might be just as useful as more money directly to the
project (especially if Google is porting Chromium to it). The nice thing about
sponsoring a bug bounty is that anybody can do it; it doesn't require
coordination with the project.

~~~
daeken
The Internet Bug Bounty that Facebook and Microsoft are sponsoring applies to
OpenSSL: [https://hackerone.com/ibb](https://hackerone.com/ibb)

~~~
leoc
The prize pool could use to be a damned sight larger though. Heartbleed only
qualified for a $15,000 payout: a figure ten times larger would still look a
bit stingy for such a serious bug.

~~~
nightcracker
I'm certain that certain agencies would value exclusive knowledge of this bug
at millions, rather than thousands.

~~~
leoc
Certain ... private enterprises, as well. It's very unlikely that bug bounty
prizes can be made to match the kind of money you might be able to get
elsewhere for a big bug; but they don't really have to.

------
kenrikm
Wow, I'm surprised that someone that's so crucial to the well being of so much
of our internet security is funded on $2000/year in donations. I think I'm
going to start donating more to stuff like this.

~~~
jasonlotito
[https://supporters.eff.org/donate](https://supporters.eff.org/donate)

They make it easy to setup recurring donations. I'm sure even a small amount
every month makes a difference.

~~~
windsurfer
Does the EFF donate to OpenSSL?

~~~
juliangoldsmith
If they did, OpenSSL wouldn't have $2000/year in donations. Most of the EFF's
donations go towards fighting cases in court, if I'm not mistaken.

------
saurik
So, first: I agree with patio11. But past that, this thread also bugs me
because it is so ill-informed: the very first question that has to be asked is
"what is the distribution of donation amounts", as the way to minimize
processing fees of "we got one donor who gives almost $2k, and then a handful
of people we choose not to turn away who give a few dollars each" is very
different than how you handle "we have $2k donors, they all give a dollar".
PayPal's micropayment fees are $0.05+5%, which is a massive difference from
the default $0.30+2.9% quoted.

And if you have only one really large donors, you get them to give you a
check. And then you put their name somewhere. And you send them some thank you
letters. And you ask for their advice on how to talk to their friends, as
maybe they might also want to donate. Because patio11 is just dead-on right:
it is more useful to increase the incoming money here, not avoid losing some
fees :/. But again: even if we choose to nitpick fees... this conversation is
still going nowhere if the distribution of donations and the process of
receiving them (if you have mostly random donations, having them do bank
transfers is going to massively increase the loss rate ;P) is not where the
discussion started.

~~~
funkyy
Lets agree that guys behind this project are not business-wise. Thus - they
are not really in place to raise money, nor manage funds properly. With such
an important "service" they provide, they could easily go in to ~$1 Million a
year without sweating. They should look for manager/director to manage
finances and growth strategy. I bet many marketing people would LOVE to manage
such a project business wise including me!

~~~
hueving
>I bet many marketing people would LOVE to manage such a project business wise
including me!

I highly doubt the engineers want to be 'managed' by a marketer looking to
raise money.

------
paulbaumgart
Soo, throwing a little bit of economics out there: BSD-licensed open source
software is pretty much a Public Good
([http://en.wikipedia.org/wiki/Public_good](http://en.wikipedia.org/wiki/Public_good)).
There are basically two ways we've figured out how to create public goods:
taxation and assurance contracts (like Kickstarter).

Thoughts on the pros and cons of either approach with respect to improving
information security infrastructure?

~~~
sp332
Since the NSA (and probably other government agencies) are already researching
vulnerabilities, it would be nice to have them made public. We're already
paying for the research, so we wouldn't really have to raise taxes.

~~~
dmix
They are not just researching, they are weakening security for everyone,
especially domestically considering Americans dominate tech businesses. So not
only are Americans paying for research that returns no economic benefit
(unless NSA is sharing info with American special interests and are not just
security?), they are making it nearly impossible to have full trust in the
information systems the business community invests heavily in protecting.

I imagine if the NSA was focused on defending businesses and not reading
emails of people, they wouldn't be getting the same amount of financing. They
are financed for their power to exploit people the government feels threatened
by, not their ability to defend citizens from harm.

------
higherpurpose
Shameful that so many billion dollar corporations rely on it in such a vital
way, and only so little is being donated to it.

I think we need a score card for donating to open source projects, in the same
way we have score cards for using green materials in devices, or using
renewable energy for data centers. We should see periodic reports of how much
money these companies donated to open source projects.

~~~
adrianoconnor
Indeed, and maybe we'll see some of the big companies hire and assign people
to work on it now. I hope so. It'd be good to see the code audited too, though
I'm not sure how you'd go about that with a project like OpenSSL. I suspect
it'd have to involved funding a PhD or two...

------
socalnate1
I'm surprised I haven't seen anyone mention the "tragedy of the commons"
economic theory yet. Though in this case it seems to be happening in reverse,
rather than depleting the common resource, we are all neglecting to invest in
it.

[http://en.wikipedia.org/wiki/Tragedy_of_the_commons](http://en.wikipedia.org/wiki/Tragedy_of_the_commons)

------
dpweb
The OpenSSL debacle exposes a real problem with Open source sw. There is
massive financial incentive to break it, none to make it safe. Funding its dev
does little. Fund guys to break it who will tell you how they did it.

------
lazylizard
i think, generally, the tendency to think openssl needs help right after
seeing openssl need help is..ignoring the problem that there might be other
projects similiar to openssl, who need help. its like donating to 1 disaster
victim because she appeared in a news story. this thing should be left alone
and looked into after a few months(i dont know how long it takes for people to
forget,actually) of no stories in the press about openssl.

otoh, if there were a foundation that collected money and funded many
projects..it'd look like apache perhaps..

personally, i wouldn't mind an option to donate to apache or openssl in a
humblebundle, nor do i mind an option to stick a donate button/widget on my
website.. or even better, have the widget rotate recipients..

------
jokoon
Why not rewrite the whole thing ?

~~~
kyberias
Yeah, why not.
[http://www.joelonsoftware.com/articles/fog0000000069.html](http://www.joelonsoftware.com/articles/fog0000000069.html)

~~~
anonbanker
Worked for Mozilla.

~~~
twic
I am utterly baffled by the fact that people are _still_ posting that link as
if it proved anything other than the fact that Joel Spolsky has absolutely no
idea what he's talking about.

Or has this now become a running joke? Was the posting of that link ironic?

~~~
tempestn
Was this comment ironic? Can you back up your claim, "Joel Spolsky has
absolutely no idea what he's talking about," with some evidence?

~~~
a8000
Rewriting from scratch can be beneficial, take the V8 engine in Chrome for
example.

~~~
kyberias
Let's. Because this is confusing. What Javascript engine was the V8 rewrite of
or did it experience a rewrite of itself at some point in time?

------
wnoise
That's unfortunately still too much. Raising any more money will only delay
the death of a project that has suppressed the use of better written projects
by dominating that niche in the ecosystem due to first-mover advantage.

------
betadreamer
I'm very surprised how low the donation is. This proves that OpenSSL was
maintained more from contribution / volunteer rather than professionally. No
wonder why they were not the first one to find the heartbleed bug...

------
mercurial
My usual suggestion would be "that's part of the infrastructure, so
governments should get together and foot the bill", but this approach doesn't
work for this particular use case.

------
btbuilder
I'm interested in how the payments by third-party companies to OpenSSL
foundation for white labeled FIPS-mode OpenSSL are accounted for. Maybe it's a
seperate entity?

------
keithgabryelski
it's time for the community (and possible all major opensource projects) to
have code review parties.

1 week before, a module is declared the subject. at the time of the party, the
major owners are on the hook for function by function questions, and line by
line when it merits.

reddit? or even a special github community service.

------
dalek2point3
this might not necessarily be a good thing. see:
[http://en.wikipedia.org/wiki/Motivation_crowding_theory](http://en.wikipedia.org/wiki/Motivation_crowding_theory)

------
nobodyshere
Is it so vaguely undervalued or does it just work so well that it does not
need too much improvement?

~~~
danielweber
"It works even if I don't pay for it."

------
teemo_cute
OpenSSL is like a guardian angel who's invisible to a person. The guardian
angel has been helping the person all the time even though he/she doesn't know
it. Then the time came that the guardian angel made a little unintentional
mistake that led to large consequences. The person then starts blaming the
guardian angel, forgetting all the good things the angel has done for him/her.

~~~
sz4kerto
No, because people are paying for it. Not directly, but through their internet
contracts, banks, etc. Those people expect that their stuff is secured, they
do not need to know how.

My grandma probably does not even know that ESP exists in cars. However, if
the ESP stops working, then she could rightfully blame the car manufacturer.

Persons are not blaming OpenSSL as some imaginary entity, they blame people
who are involved in making, reviewing, accepting and using OpenSSL.

~~~
ProblemFactory
I don't think the analogy works. None of the money, and all of the blame ended
up with people who make and review OpenSSL as volunteers.

------
raverbashing
Underfunding is not an excuse for a code that gives headaches to people, lack
of testing and blind acceptance of "new features" just for the sake of it.

~~~
liquidise
The code is openly sourced, developed, and tested. It, like privately sourced,
developed and tested code contains bugs. Since you are casting the stones, am
i to assume code you have been around is free of these eventualities?

~~~
raverbashing
What I'm saying is that we should be looking at (open) alternatives to
OpenSSL, like GnuTLS for example.

It's not about open vs closed or "all code has bugs", it's about the OpenSSL
project needing to rethink their security strategy and general guidance.

~~~
feld
GnuTLS does not use an acceptable license. Apache/BSD/MIT please. It's the
only way you'll find it replacing OpenSSL everywhere.

------
ry0ohki
Dumb question perhaps, but what do they need money for? What would they use it
for? It says they pay it out to team members, but if people are doing this
work for the money, doesn't that defeat the point?

~~~
forgottenpass
_if people are doing this work for the money, doesn 't that defeat the point?_

What exactly do you think "the point" is. To not be compensated at all in any
way for your work?

I see a BSDish license as an indication someone wants their work to be
available to anyone. Not a statement that the product itself must be kept
purely a labor of love.

~~~
ry0ohki
Yes, if people want to be compensated in cash for their work they sell it or
become employed by others. I've always seen open source more as a kharma type
of thing and never expected any compensation for my contributions

~~~
stefan_kendall3
So go work on OpenSSL. Oh wait.

