Hacker News new | past | comments | ask | show | jobs | submit login
“In a typical year the OpenSSL project receives about US $2000 in donations” (groups.google.com)
370 points by blazespin on Apr 11, 2014 | hide | past | web | favorite | 161 comments

Note the almost painfully predictable response to the thread. Instead of focusing how OpenSSL can pull in, let me pick a number, $800k in revenue in the next year, they immediately zero in on $70 of Paypal fees as the organization's leading financial problem.

You make it sound so easy. Any suggestions you've got regarding $800K in revenue in the next year? :)

Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club should need to pay $10k/month (though of course membership in this club is still offered at OpenSSL's sole discretion, and they would be allowed to waive this fee).

Google, Amazon, Facebook, and Akamai (off the top of my head) will each pay that without batting an eye; that's $480k/yr. right there. I imagine they could probably get some banks in that club as well.

Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club should need to pay $10k/month

If I find a vulnerability in code from a project which is pulling this sort of stunt, I will make sure I share details with distributors only under the strict condition that they are not allowed to tell the project about it.

Responsible disclosure usually means "start by telling the authors", because usually the authors know who needs to be contacted and will do that responsibly. If they're just going to sell off exploits to the highest bidders, they should have no role in the disclosure process.

I'm not even sure where this comment came from, and how it applies. This isn't about delaying details to anybody (or, worse, hiding details from anybody), it's about providing details earlier to a group of people who have a strong enough vested interest that they are willing to pay for it and have been vetted as trustworthy enough to allow it.

Given how important OpenSSL is to the web's infrastructure (and the many companies who utilize it), I think there would be value in ensuring it has appropriate resources to fulfill that duty. This idea may not be a perfect solution, but calling it a "stunt" is hyperbole, IMO.

The FreeBSD Security Team works with other software distributors to make sure that they have advisories and patches ready when bugs are first disclosed publicly.

In my years as FreeBSD Security Officer, we in very rare cases gave advance notice of vulnerabilities to end users, and those decisions were made on the basis of "we happen to know that these people are using the software in a way which makes them particularly vulnerable". (In most or all such cases we didn't even provide a patch, just a warning of "make sure you have people around at 10AM tomorrow in case you need to release an update quickly".)

Nobody ever got advance notice by virtue of having donated money, and I reminded Security Team members that they should not give any advance disclosure to their employers.

>This isn't about delaying details to anybody

Yes it is. If you disclose early to a select group, you are by definition delaying details to everyone else.

The paid early disclosure stuff used to exist all over the place, and it was a joke in terms of it being immediately leaked to those in the know.

Except you can't give security vulnerability details to everybody until you have a patch ready (and I certainly wouldn't argue that you should allow paying for earlier access to the patch). On the other hand, when you have a business relationship with somebody, with non-disclosure agreements in place, you can tell them more details much earlier.

Given that you are the exact type of person that I would want reviewing OpenSSL, thank you for your feedback!

What would you say if this was worded more like Patrick's "priority support" clause in his analysis of Tarsnap?Practically it would just mean they send an email to the priority support list before they send it to the listserv. I still think major enterprises would get on board.

Practically it would just mean they send an email to the priority support list before they send it to the listserv

Mail servers are fast enough these days that I don't think that it really matters what order the emails go out in. Maybe someone would want to pay to get a phone call when an advisory goes out, though.

I have no objection to providing support for paying customers, e.g., to help them figure out if they're affected by a bug. But money should not result in you hearing about a bug any earlier.

For the record, this is more what I had in mind. I was just very bad at explaining it.

So, I for one am convinced at this point -- largely by your comments, but also the rest of the thread -- that this proposal would burn too much goodwill. I think charging businesses for "something" is an avenue that needs to be explored, but early notification is clearly not that thing.

So, people are definitely misinterpreting my suggestion. This is my fault, as looking back I stated it pretty badly.

The goal is to give businesses who are already in the early-warning club an excuse to write $10k checks every month. The intention was not to solicit anyone and everyone.

It would continue to only be offered to organizations who are (in the collective opinions of the OpenSSL project leaders) going to neither leak nor use the vulnerability -- exactly what happens today.

They would be allowed to (and, I'd hope, would) waive the fee if a major stakeholder were obstinate about it, because (I hope) they actually care about the security of the Internet.

Your proposal is still bad :-) but the good faith attitude with which you engaged responders is a model for mature discourse.

This sounds like it would introduce a massive conflict of interest.

Also it assumes the OpenSSL team are the first to know about vulnerabilities. Heartbleed has shown that's not always the case.

Don't you think that does not align with the ethics of 'Open'SSL project?

Not having enough resources to keep the 'SSL' part working makes the 'Open' part pretty irrelevant.


1. Purchase access to the club for $10K/year

2. Wait for next vulnerability

3. Immediately sell details to hackers via bitcoin

4. ???


You offer this membership only to trustworthy members of the community who have interest in keeping their services and products secure such as RedHat, Google, Facebook, Oracle, Debian and so on. I think you can trust people in Google not to exploit vulnerability and not to sell it for bitcoins.

Unless critical vulnerability is exploited in the wild, it should first be disclosed to big Linux distributors so they can prepare patches and to companies responsible for critical Internet infrastructure so they can fix their system before telling general public. With this proposal you just charge companies who can afford it membership fees and provide this service for free to open source/non profits who could not afford it.

Followed up with an NDA with an indemnity clause.

someone below suggested hitting up all the multi-million dollar companies that use openSSL. A now deleted response said something to the effect of "sure, that's easy. I'll just call up the purchasing department."

I don't know a lot about large companies, but I do know a little about getting small companies to give you money. Small companies are cheap, but there are a lot of us, and if you only need $800K, well, that is 800 companies donating a grand a year each. There are many thousands of small technical businesses who can afford a grand a year.

So. First problem, for a small company? You need to give us something to buy. This helps out tax-wise, and it also makes the deal feel better. Hell, you can call OpenSSL a for-profit at that point, which means little paperwork for you, and if you pay out everything you get as salary, you have to pay the same payroll taxes on that either way anyhow, if I am not mistaken.

So, what can the OpenSSL people sell me without causing a conflict of interest? How about advertising? maybe give me a website badge. "OpenSSL sponsor" maybe with a silver/gold/bronze or something (or maybe even just the amount) - Also put me on the sponsors list on the OpenSSL website with a link to my website and maybe my tagline or a logo at the more expensive levels.

I'll take the grand out of my advertising budget and it's all above-board tax wise for me, and the paperwork is easy. I've bought advertising before.

The purchasing department is the last place you'd want to call - purchasing is department people in the org. go through to buy things, not the other way around.

You'd either want to talk to some senior in IT security or anyone above them, upto including the CTO or someone in risk management/liability. Doing sales to those people is most likely expensive, probably costing $10k+ per client which would be the cost of someone going to networking events, visiting prospects, presentations, documents etc.

In my experience paying yearly is much preferred to paying monthly in large orgs. due to the process that has to be gone through to purchase something (Longer than a year can cause budgeting problems).

>You'd either want to talk to some senior in IT security or anyone above them, upto including the CTO or someone in risk management/liability. Doing sales to those people is most likely expensive, probably costing $10k+ per client which would be the cost of someone going to networking events, visiting prospects, presentations, documents etc.

This is why I'm suggesting something that can be sold online, at a price point that doesn't require per-customer sales effort. I don't have many $1000 per year customers, but I have a few; and I have a fair number of $500+ per year customers. I did not spend more sales effort on those customers than I did on my $100/year customers.

I say this as evidence that $1000/year is below the "high touch sales" threshold.

I mostly thinking you'd go to big companies with something at the $100k/year level for membership - including some influence in project direction, code review methods, audits, features etc.

Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.

my main point here is that there is space between $50 and $100,000. Assuming OpenSSL doesn't have infrastructure, my suggestion is that they try to charge as much as they can and still stay under the level where you need sales.

$1000, from experience, is below the level where you need per-user sales.

>Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.





I would suggest that for corporate sponsors, you make it more clear than Theo does that you are buying advertising, not donating money. I think selling a "I helped pay for software you use" website badge is a good way of doing that... but look at the mirrors.centos.org sponsors page. You are very clearly buying advertising space, in that case.

Heck, the CAs charge a lot of money for badges that mean nothing; The OpenSSL people could create a similar badge. "OpenSSL developer club auxiliary" or something.

The problem isn't a lack of >I'll take the grand out of my advertising budget and it's all above-board tax wise for me, and the paperwork is easy. I've bought advertising before.

It's a lack of,

>I'll call up and close 800 businesses for you and keep track of invoicing them. As well as do product management on getting something together that is something they can support. I don't need any resources.

At this level, I wouldn't call anyone. In my experience, the best publicity is news stories written by other people. Many years ago, when I was the best ram per dollar deal around, a blogger's benchmark that made the reddit and hn front pages took my business from almost nothing to "I can quit my dayjob" money in a very short period of time. I bet if the OpenSSL folks announced this soonish, the sales work would be done by the media. In fact, I think this is the big advantage of the low-dollar small-business accounts. You can say "here is the deal, take it or leave it" and wait for people to take it. For the big corporate deals, you have to meet and call and actually sell.

And for invoicing at this scale, use cashflow accounting. The sale closes when you receive payment. There will be some work matching up checks to logos, but at $1000 a pop, the 5% of customers who don't write the account identifier on the check are worth tracking down.

You do need to do accounting, but you need to do accounting at the current $2000/year level, too. I don't think they are committing themselves to all that much extra work if they only get a few buyers.

I have... intimate experience with the "I got too many customers before I had sufficient automation" problem... and yeah, it is a problem when you have $50/yr customers. It is not a problem, I think, when your smallest customers are $1000/yr.

1) They need to form a 501c3.

2) They need to coordinate with fortune 1000 companies to get their company listed as a United Way alternative.

3) They need to campaign the nerds in the tech community whose companies do United Way donations and ask that their donations are directed to the OpenSSL foundation.

This solves 2 problems: 1 is the immediate need for cash, and 2 is a reliable cash flow. We donate monthly. I currently give to a cancer non profit and a local hacker space. I would move my donations away from the hacker space for the foreseeable future of the OpenSSL guys did this.

A 501(c)(3) is expensive in legal work. Unless they can find a pro-bono lawyer, this puts the plan in the "it takes money to make money" category.

Then it still doesn't guarantee they'll increase donations without marketing so people know about it. Until Heartbleed became public, I imagine few companies were aware that OpenSSL had so few resources and such great needs. They definitely need to capitalize and hope the bad press doesn't make large companies seek an alternative.

I dunno. I think the effort might be worthy of the EFF's time if they have the expertise. I don't think that any EFF donors would be upset that they spent time to help OpenSSL setup a non-profit.

Not only this, but there is delay/wait-list of over a year to get your 501c3 status approved at the moment.

They could join another nonprofit.

The Apache Software Foundation is one of those. Here are some of their (our) public numbers for 2012-13:


I'm less sure how OpenSSL can pull in large revenues on an ongoing basis, but I can tell you how it can easily attract significant money right now: do some bloody fundraising over the next few days or weeks! Just structure it as a crowdfunding drive and stick it up on Kickstarter or whatever for minimum hassle. (You might have to do a bit more work to also avoid tax, I don't know.) If they've attracted €3000 so far in donations without lifting a finger, imagine what they could do if they actually went out to capitalise on the publicity and the unhappiness generated by Heartbleed over the past few days. For that matter, a third party could do the Kickstarter, just as long as people can trust him/her/it not to run away with the money. I previously suggested giving the money to the Internet Bug Bounty pot instead of to OpenSSL itself https://news.ycombinator.com/reply?id=7566208 but obviously money could go to either, or to other relevant good causes.

Marketing. Some numbers to compare:

Virtus raised 1000 Euros in a month. https://www.bountysource.com/fundraisers/329-virtus-1-0-0

While the lib is an interesting one, it is a fringe library in a fringe space (Ruby). Still, it made half of what openssl made in a year in a month.

RVM, one of the Ruby version switchers/installers, raised 50k to fund the main developer a year of work on it:


Thats already 1/16th of your number.

Now, OpenSSL is _far more important_ than both of these but still doesn't manage to get funds? Sounds more like they just hope people to come because they want to.

How about hitting up all the multi-million dollar companies that run their businesses on top of OpenSSL?

How much do you think companies[1][2] would collectively donate in order to try to avoid another Heartbleed?

[1] http://mashable.com/2014/04/09/heartbleed-bug-websites-affec...

[2] https://gist.github.com/dberkholz/10169691

Rounding error in donations, but easily $X0k+ to purchase proactive mitigation. It's not like (without loss of generality) Yahoo is a stranger to paying for engineers, security technology, software licenses, or insurance policies.

Probably none, what with game theory and the free-rider problem.

Or, as it seems, about $2k.

Anyone here run a SSL certificate provider? Just make a new line of certs that cost 3 times as much but donates the overage to OpenSSL.

Lots of corporate IT people can get away paying $300 for a cert and know $200 of that is going to a good cause.

Really? That sounds like something you would get in trouble for in most places.

It's not for the IT employee to effectively give away the companies money by buying something for more than they have to spend.

The decision to donate to a good cause is usually made by other people in the company.

I think it's a good idea. Cert prices vary, and there are reasons for it, and companies would rather pay for stability than save money.

But you are not paying for a service, because funding OpenSSL is a classic free rider problem: the company would be better of not funding OpenSSL, even though all companies would be better off if they all funded OpenSSL.

By that logic, the tax accountant could argue that they should arrange a company's finances so they pay more tax, in order to pay for more "stability" by funding the government.

Does it matter about everyone else though? Your company values rock solid encrypted communication and it willing to pay a premium to ensure this it remains rock solid. The fact that everyone gets it is just a side effect of that.

implicit in the free rider problem is that the monetary value of your contribution is less than what you gain.

In this case, I think it's safe to assume that a $200 contribution to OpenSSL won't repay the contributing company $200 of improvements.

They need to bring about exposure and awareness. Although I use it obviously daily in work and in life; I have never even thought of nor been propositioned to donate. I had no idea that it wasn't being supported by a large company. Call me naive, but they need awareness.

Paypal fees!? :) donates to foundation.

Is their web site ... for real? Who would donate $10 etc when it seems at first pass as if they only entertain massive donations. Hmmff.

How about:

1) Simple redesign of home page,

2) Showing prominent sponsors who've paid more than some amount in the last 12 months (e.g. Google, Redhat, Akamai),

3) And leading contributors

4) And news other than vulnerabilities (e.g. code fixes, new tests, etc.)

It might not net $800,000 per year, but it would probably help.

You're asking like it's the first time an open source project was sponsored by large corporations. Let's see, what's in it for google just in terms of PR? Developers it can attract? Ways it can get webmaster mindshare?

I'm not sure about $800k a year, but taking a page from Tarn Adams, OpenSSL should be able to raise at least $2k a month by:

Sending donors one of either: a) a short story b) a picture drawn in crayon

Upvoting because I think people misunderstand the nudge here: Dwarf fortress does both of these, and easily pulls in more money than OpenSSL by average. Sometimes up to twice as much if they just had a big release. (Which is - regardless how good dwarf fortress is - a shame).

I have often thought we need something akin to gittip on Enterprise Scale.

A central point of collection, but I can direct the donation to any project, and "EnterpriseOSSFoundation" just handles the messy admin.

There are an awful lot of CTOs who would be happy to "pay back" to projects if it looked legit on the budget and the brand was something the Chairman would hear about at the golf club.

What's to stop Gittip from being enterprise scale? Just got home from PyCon and had a lot of conversations there about how to translate Gittip into terms that legal/accounting can deal with.

The events of this past week make me wonder how much Heartbleed would have been worth to an entity that buys zero day exploits.

Ask CloudFlare how much they paid.

No, I'm not saying they buy zero day expolits to be evil, but how else did they get 12 days notice?

Because the researchers had the common sense of notifying the biggest targets in advance, I think.

I'll defend the researchers for trying to do a managed notification. But I wonder, did they try to reach out to the major OS vendors to see if they could get them any advance warning? Or ask OpenSSL if OpenSSL knew how to get in touch with people on the down-low?

The problem with distributions is that you, in most cases, don't know who is on the other end of the security@xxx.tld email address.

Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.

Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.

I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.

If that were the case, AWS would've been on the list.

ITYM "target", and not even "biggest", really. They didn't responsibly disclose to any distributions.

Wouldn't it have made most sense to e-mail the OpenSSL team so they could have pushed a critical patch that everyone would have updated to via APT before shit went off of the hook?

They did, the problem is that the patch immediately shows you the security issue - and distributing a patch means then to disclose the bug.

I'm not 100% on the timeline but I'm pretty sure the OpenSSL team knew about this well before April 7th.

By being a major site that uses SSL. Many such users were notified ahead of time; it's nothing abnormal with responsibly disclosed bugs. As far as I'm aware, no money changed hands whatsoever.

CDNs are part of a group that receives advanced notification because of their reach on the web - they're a valuable attack vector.

What about CloudFront? What about Akamai? What about every other CDN but CloudFlare?

Yeah, wow... Anyone in that group/know anyone in that group that can refocus them on the real problem of them being paid <10 engineer days per year to maintain/improve this vital piece of infrastructure?

What other people have said in comments is completely right: OpenSSL, or maybe just this Steve Marquess guy, is missing the forest for the trees. Or in this case, the six figure donations for the pennies. OpenSSL could raise more money in a few months of pan handling in a major city than they raise in a year[1].

A student group that I will soon be President of at the University of Northern Iowa[2] received more in donations and financial support. Our student group is not the best managed, but we care a lot about large sponsors, keeping good relations with them, and making asks that matter.

If someone told me that panhandlers and Midwest student organizations are out-fundraising OpenSSL, I would scoff and laugh. OpenSSL? That's mission-critical software running on nearly every PC and post-PC device in the world. You know what OpenSSL reminds me of in this respect? SQLite.

SQLite charges $75,000 for consortium members[3] to have 24/7 access to phone support direct to developers, guaranteed time spent on issues that matter to them, and so on.

The fact that this doesn't exist for OpenSSL is an embarrassment to project management. I made an offer in that email thread to try to raise $200,000 for OpenSSL by the end of 2014, and I'm repeating it here for visibility:

If you are an employee of a corporation that wants to donate to directly support OpenSSL development by funding staff time, send me an email right now: friela@uni.edu

If you are in the OpenSSL foundation, send me an email right now and I will try to solve your problem by finding a phone number at every major OpenSSL using corporation and making an ask. Want me to do that? Send me an email right now: friela@uni.edu

[1] http://www.ncbi.nlm.nih.gov/pmc/articles/PMC121964/

[2] http://www.unifreethought.com

[3] http://www.hwaci.com/sw/sqlite/prosupport.html

[4] https://sqlite.org/consortium.html

Not sure why I'm downvoted, but I'm making an explicit offer to spend volunteer time making asks to corporations to raise money for OpenSSL. I don't see too many people making similar offers, and a number of people pointing out that they have the opportunity to solve their fundraising programs through corporate sponsorship, but not a whole lot of people with the free time willing to do so.

Telling an underfunded volunteer-run organization what they need to do rarely works. They're busy, they have lives, and they can't afford to make a mistake with their time which is already so acutely demanded. So I'm making an offer: I'll run the corporate sponsorship program, just give me the option to do so. I'm a student, I could spend four hours tonight calling contacts at businesses and public institutions, working my way up the ladder and making asks. Has OpenSSL ever just asked for money before? Asking for money is hard for many people, I don't know why, but I've done it before, so why not?

Pardon me if I'm being blunt, but I believe I can answer your question regarding downvotes.

You seem to have found a niche you're good at, all I'd counsel you is to get better at managing impressions. I think what you want to do is great, and I think most HNers agree on that. But this doesn't seem like the appropriate forum to reach out in, and partly because of that and partly because of your wording, you come off sounding a little arrogant and like a salesperson. I think if you were less verbose, your intentions would shine through better.

> http://www.openssl.org/support/acknowledgments.html

And they're not selling Qualys on future contributions. They got their logo there, and it seems like it'll stay there forever. They are a "Past Contributor", and they get what could be prime corporate advertising space to security engineers for free every year they don't contribute. I can't tell if they're a current contributor, or how much it would cost to put $MY_COMPANY logo there. And I don't know why I would care, because it appears OpenSSL doesn't seem to care about who is paying year-to-year.

It says "Past or Current". That should just say "Current". Anyone who isn't a current contributor should get their name taken off. Also, where is Google? Apple? Microsoft? IBM? Oracle? Juniper? None of those names have logos up there. That should be fixed. Has anyone ever cold-called those companies and asked to talk to their sponsorship and corporate contributions groups?

Though from the sounds of it, it doesn't work very well presumably because there is no outbound sales process - which is what this person is suggesting doing.

The logic is really not that hard:

Open source software benefits the entire society/humanity.

Therefor, it (or at least the most critical components, such as OpenSSL) should be funded by all governments in an internationally coordinated effort (tax payer benefits = tax payer pays).

If we can have internationally coordinated efforts such as NATO, why can't we have them for extremely important/basic elements of our society such as technology?

> If we can have internationally coordinated efforts such as NATO, why can't we have them for extremely important/basic elements of our society such as technology?

This is a very interesting question. The answer, most likely, is that the perception of security moves slower than the security concept[s] itself.

We come from an era where security was in most part physical, and we're transitioning to an era where it's much more logical; society though, is having a hard time adapting to the change.

For this reason, a technologist may see as obvious to take care or OpenSSL more than, say, building a tank, while a politician is stuck in with the latter only.

Also, I think we're only scratching the surface here. It's interesting, for example, to think of a parallel between the interests in keeping the world insecure. In practical terms, NSA has certainly a great interest in keeping security software broken even if used by the people it's supposed to protect; I wonder what was the parallel of this, 50 years ago, and especially, how is society going to react over the time.

NATO was set up in opposition to the Soviets / Warsaw Pact. It's "internationally coordinated" amoung some countries, not all.

Given today's murky geopolitical situation, its always good to cite history as correctly as possible:

"The North Atlantic Treaty Organization (NATO) .. also called the (North) Atlantic Alliance, is an intergovernmental military alliance based on the North Atlantic Treaty which was signed on 4 April 1949."

"The Warsaw Pact was in part a Soviet military reaction to the integration of West Germany into NATO in 1955, per the Paris Pacts of 1954 but was primarily motivated by Soviet desires to maintain control over military forces in Central and Eastern Europe"

[1] http://en.wikipedia.org/wiki/NATO [2] http://en.wikipedia.org/wiki/Warsaw_Pact

OK I stand corrected, NATO was set up first and then the Soviets set up the Warsaw Pact in reaction to NATO. But that still proves my point that NATO was one side, unlike (say) the UN which had/has both sides.

The donations are one aspect. I'm on the dev mailing list, been lurking for a few years, I've used openssl for various things for years and I have had an interest in when some newer TLS standards were going to be supported. It's a pure bazaar as best I can tell. It's nearly magical how releases happen. I don't know if there is a secret mailing list for the core developers or some IRC channel or something, people post patches to the list, there are some occasional questions and answers, it's insanely low volume for a project as popular as it is. Every now and again some big patches with a lot of new stuff drop. Every now and again someone ponys up some big money and FIPS certification happens. It just sort of keeps meandering a long without a a benevolent dictator.

A sponsored bug bounty might be just as useful as more money directly to the project (especially if Google is porting Chromium to it). The nice thing about sponsoring a bug bounty is that anybody can do it; it doesn't require coordination with the project.

The Internet Bug Bounty that Facebook and Microsoft are sponsoring applies to OpenSSL: https://hackerone.com/ibb

The prize pool could use to be a damned sight larger though. Heartbleed only qualified for a $15,000 payout: a figure ten times larger would still look a bit stingy for such a serious bug.

I'm certain that certain agencies would value exclusive knowledge of this bug at millions, rather than thousands.

Certain ... private enterprises, as well. It's very unlikely that bug bounty prizes can be made to match the kind of money you might be able to get elsewhere for a big bug; but they don't really have to.

This - something like this is not only a great idea but incentive for more developers to spot some easy fixes & promote the OpenSSL brand as well.

And cheap if no one finds anything.

I'm sure that can be crowdsourced

Yup, we're just waiting on someone to do it. It wouldn't have to be OpenSSL (or even FB or MS, the existing IBB sponsors): it could be done by anyone with enough public credibility to be trusted not to run away with the money, and the time and skills to jump through the tax/charity/crowdfunding hoops.

Another nice thing is you can see what the money goes on. "Where does out €5,000 donation go?" "We'll find and fix bugs in software you use."

Bug: OpenSSL implementation. All of it.

Wow, I'm surprised that someone that's so crucial to the well being of so much of our internet security is funded on $2000/year in donations. I think I'm going to start donating more to stuff like this.

there needs to be a user owned group that funds these critical projects in a transparent and effective way. I would sign up in a heartbeat.


They make it easy to setup recurring donations. I'm sure even a small amount every month makes a difference.

Does the EFF donate to OpenSSL?

If they did, OpenSSL wouldn't have $2000/year in donations. Most of the EFF's donations go towards fighting cases in court, if I'm not mistaken.

Don't see how that's relevant either. OP mentioned about donating to things like OpenSSL. I was recommending one.

Soo, throwing a little bit of economics out there: BSD-licensed open source software is pretty much a Public Good (http://en.wikipedia.org/wiki/Public_good). There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter).

Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?

"There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter)."

No, many BSD licensed projects have been created through other means. Partial sponsorship and user contributions (usually non-monetary) seems like a common path.

The problem with taxation is that it requires force, which implies a heavy burden of responsibility on the people allocating the funds after collection. It's really hard to figure out which projects should get funded, and how much, and avoid strange incentives along the way. I just don't think any group of humans could do a good job of this outside of very specific tactical funding (e.g. what the DoD does with some projects).

Yeah, assurance contracts make the "figuring out what to fund" easier, since there's sort of a natural selection process. You still have execution risk, though, which is probably the biggest problem right now: if I'm contributing to fund the creation of some software, how do I know the funded people will actually deliver?

That's where a trusted intermediary probably has to come into play. The best thing I can think of at the moment is a version of Kickstarter that vets the candidate projects almost as thoroughly as a VC would and takes a cut for providing that service. Not sure how the business economics would play out in practice, though.

Since the NSA (and probably other government agencies) are already researching vulnerabilities, it would be nice to have them made public. We're already paying for the research, so we wouldn't really have to raise taxes.

They are not just researching, they are weakening security for everyone, especially domestically considering Americans dominate tech businesses. So not only are Americans paying for research that returns no economic benefit (unless NSA is sharing info with American special interests and are not just security?), they are making it nearly impossible to have full trust in the information systems the business community invests heavily in protecting.

I imagine if the NSA was focused on defending businesses and not reading emails of people, they wouldn't be getting the same amount of financing. They are financed for their power to exploit people the government feels threatened by, not their ability to defend citizens from harm.

Considering that the NSA has known about this bug for up to two years[1], I think it's optimistic to consider that they'd be willing to help in this regard, as they've very possibly been exploiting it for some time now.

[1] - http://reason.com/24-7/2014/04/11/nsa-allegedly-knew-about-m...

Thanks for the Wikipedia link. Just wanted to point out that the link identifies more than two ways to fund public goods.

In particular, I'd like to point out the "Privileged group" solution, which can occur when some individuals or organisations obtain enough personal benefit from a public good that they're basically willing to fund the good themselves, even if others are free riding. Many organisations obtain enough personal benefit from secure communications that it's worth it for them to contribute to OpenSSL.


There are lots of other ways of encouraging funding too. Hacker News is one place where the community constructs social norms around open source contributions.


The Privileged Group case is more-or-less the informal handshake equivalent of assurance contracts, and the altruism/social status option doesn't quite seem to cut it for critical infrastructure like crypto libraries, unfortunately. But thanks for pointing those out!

TrueCrypt's audit was funded partially through IndieGogo IIRC. So we know it's at least possible.

I'd imagine the logistics of managing such a thing would be tricky, but I for one would have no issue with an "SSL Tax" that's voluntarily added to various pieces of software, with proceeds going directly to things like the OpenSSL project.

I'd be more inclined to look to state funding for encryption-related public goods if the state wasn't demonstrably an antagonist in the realm of encryption...

Sponsorship and advertising also work.

So, first: I agree with patio11. But past that, this thread also bugs me because it is so ill-informed: the very first question that has to be asked is "what is the distribution of donation amounts", as the way to minimize processing fees of "we got one donor who gives almost $2k, and then a handful of people we choose not to turn away who give a few dollars each" is very different than how you handle "we have $2k donors, they all give a dollar". PayPal's micropayment fees are $0.05+5%, which is a massive difference from the default $0.30+2.9% quoted.

And if you have only one really large donors, you get them to give you a check. And then you put their name somewhere. And you send them some thank you letters. And you ask for their advice on how to talk to their friends, as maybe they might also want to donate. Because patio11 is just dead-on right: it is more useful to increase the incoming money here, not avoid losing some fees :/. But again: even if we choose to nitpick fees... this conversation is still going nowhere if the distribution of donations and the process of receiving them (if you have mostly random donations, having them do bank transfers is going to massively increase the loss rate ;P) is not where the discussion started.

Lets agree that guys behind this project are not business-wise. Thus - they are not really in place to raise money, nor manage funds properly. With such an important "service" they provide, they could easily go in to ~$1 Million a year without sweating. They should look for manager/director to manage finances and growth strategy. I bet many marketing people would LOVE to manage such a project business wise including me!

>I bet many marketing people would LOVE to manage such a project business wise including me!

I highly doubt the engineers want to be 'managed' by a marketer looking to raise money.

All of that is really a waste of time. Regardless of the distribution of donations, it's basically chump change (<$100).

Most engineers should be able to make that in an hour. Heck, I'd be happy to pay that myself personally.

Given the amount of money in tech, and how critical OpenSSL is to the internet, nobody should even be worrying about costs. The only question should be why every major tech company isn't already writing them a $xx,xxx check.

this may be a stupid question but why is it hard for you to give OpenSSL money?

if this were a Dutch organisation (and I could spare that kind of money ...), I could either fire up my online banking and transfer it without any costs, or use the (slightly easier) iDEAL option and it'd cost them about 50 eurocents + 0% per transaction.

not even just for the Dutch btw, since recently, if they have an IBAN bank account number, you can just transfer money there (well, not to the US, apparently, but in the EU, parts of South America, Africa, Asia, ..[0])

[0] https://en.wikipedia.org/wiki/International_Bank_Account_Num...

> this may be a stupid question but why is it hard for you to give OpenSSL money?

Primarily because it's not tax-deductible. I try to restrict my charitable donations to things I can deduct.

The other reason I don't is that I'm not convinced it would be used effectively. They shouldn't be using small donations as their primary source of funding, they should be going after huge corporate supporters.

I'd be happy to donate $100 if it were tax-deductible and if OpenSSL committed to making the minimal effort of reaching out to major tech companies for substantive funding.

At the cutover level (around $5), the micropayment fee is $0.50, whereas the standard fee would be $0.45. It's not that massive a difference. If people are donating only one dollar, then it's a wider difference (10c vs 33c), but this level of donations is neither a serious chunk of the total pool, nor the kind of donors you want to attract. One of the donors gave $0.02 - clearly meant to be a joke or a system test, and not the kind of donor you want to court.

The cutover between micropayments and regular payments is $12. At $5 the difference is $0.30 vs $0.41 (including the non-profit discount, which does change where the cutoff is slightly, but I don't know what it is). (I don't know how you calculated $0.50, but 5% of $5 is $0.25, plus $0.05 makes $0.30.) So, it also makes at least some difference even if everyone is donating $10 (which again brings us back to the "you need to know the distribution of payments and the model for the conversion funnel before you can talk about fee optimization ;P).

Thanks for the correction. Looking again, my source said £5, and I overlooked the actual currency. As for screwing up the flagfall... that's just a complete miscalculation on my part, sorry.

Shameful that so many billion dollar corporations rely on it in such a vital way, and only so little is being donated to it.

I think we need a score card for donating to open source projects, in the same way we have score cards for using green materials in devices, or using renewable energy for data centers. We should see periodic reports of how much money these companies donated to open source projects.

Indeed, and maybe we'll see some of the big companies hire and assign people to work on it now. I hope so. It'd be good to see the code audited too, though I'm not sure how you'd go about that with a project like OpenSSL. I suspect it'd have to involved funding a PhD or two...

I'm surprised I haven't seen anyone mention the "tragedy of the commons" economic theory yet. Though in this case it seems to be happening in reverse, rather than depleting the common resource, we are all neglecting to invest in it.


The OpenSSL debacle exposes a real problem with Open source sw. There is massive financial incentive to break it, none to make it safe. Funding its dev does little. Fund guys to break it who will tell you how they did it.

i think, generally, the tendency to think openssl needs help right after seeing openssl need help is..ignoring the problem that there might be other projects similiar to openssl, who need help. its like donating to 1 disaster victim because she appeared in a news story. this thing should be left alone and looked into after a few months(i dont know how long it takes for people to forget,actually) of no stories in the press about openssl.

otoh, if there were a foundation that collected money and funded many projects..it'd look like apache perhaps..

personally, i wouldn't mind an option to donate to apache or openssl in a humblebundle, nor do i mind an option to stick a donate button/widget on my website.. or even better, have the widget rotate recipients..

Why not rewrite the whole thing ?

Countless companies have successfully rewritten their products. Properly done, people outside the company never even realize that it was done. Joel has a sort of reverse survivor bias; those who fail are noticed, but those who succeed are ignored.

Worked for Mozilla.

I am utterly baffled by the fact that people are still posting that link as if it proved anything other than the fact that Joel Spolsky has absolutely no idea what he's talking about.

Or has this now become a running joke? Was the posting of that link ironic?

Was this comment ironic? Can you back up your claim, "Joel Spolsky has absolutely no idea what he's talking about," with some evidence?

Rewriting from scratch can be beneficial, take the V8 engine in Chrome for example.

Let's. Because this is confusing. What Javascript engine was the V8 rewrite of or did it experience a rewrite of itself at some point in time?

I'm not saying he proves anything but he certainly knows something about what he's talking about and the OP asked "why not rewrite" and Spolsky offers a number of reasons why. They might not apply here but they just as well might.

Count me in to the baffled crowd.

That's unfortunately still too much. Raising any more money will only delay the death of a project that has suppressed the use of better written projects by dominating that niche in the ecosystem due to first-mover advantage.

I'm very surprised how low the donation is. This proves that OpenSSL was maintained more from contribution / volunteer rather than professionally. No wonder why they were not the first one to find the heartbleed bug...

My usual suggestion would be "that's part of the infrastructure, so governments should get together and foot the bill", but this approach doesn't work for this particular use case.

I'm interested in how the payments by third-party companies to OpenSSL foundation for white labeled FIPS-mode OpenSSL are accounted for. Maybe it's a seperate entity?

it's time for the community (and possible all major opensource projects) to have code review parties.

1 week before, a module is declared the subject. at the time of the party, the major owners are on the hook for function by function questions, and line by line when it merits.

reddit? or even a special github community service.

this might not necessarily be a good thing. see: http://en.wikipedia.org/wiki/Motivation_crowding_theory

Is it so vaguely undervalued or does it just work so well that it does not need too much improvement?

"It works even if I don't pay for it."

Due to its global importance, even if its security record was impeccable there would still be a huge incentive to constantly audit and test OpenSSL.

It is critical for the future of the Internet that OpenSSL (or any alternative that might show up) does not have any other Heartbleed bug.

OpenSSL is like a guardian angel who's invisible to a person. The guardian angel has been helping the person all the time even though he/she doesn't know it. Then the time came that the guardian angel made a little unintentional mistake that led to large consequences. The person then starts blaming the guardian angel, forgetting all the good things the angel has done for him/her.

No, because people are paying for it. Not directly, but through their internet contracts, banks, etc. Those people expect that their stuff is secured, they do not need to know how.

My grandma probably does not even know that ESP exists in cars. However, if the ESP stops working, then she could rightfully blame the car manufacturer.

Persons are not blaming OpenSSL as some imaginary entity, they blame people who are involved in making, reviewing, accepting and using OpenSSL.

I don't think the analogy works. None of the money, and all of the blame ended up with people who make and review OpenSSL as volunteers.

Underfunding is not an excuse for a code that gives headaches to people, lack of testing and blind acceptance of "new features" just for the sake of it.

The code is openly sourced, developed, and tested. It, like privately sourced, developed and tested code contains bugs. Since you are casting the stones, am i to assume code you have been around is free of these eventualities?

What I'm saying is that we should be looking at (open) alternatives to OpenSSL, like GnuTLS for example.

It's not about open vs closed or "all code has bugs", it's about the OpenSSL project needing to rethink their security strategy and general guidance.

GnuTLS does not use an acceptable license. Apache/BSD/MIT please. It's the only way you'll find it replacing OpenSSL everywhere.

All software has bugs. That's an unavoidable reality. You need to learn to deal with that fact.

Dumb question perhaps, but what do they need money for? What would they use it for? It says they pay it out to team members, but if people are doing this work for the money, doesn't that defeat the point?

It certainly would not defeat the point to pay the OpenSSL engineers. Free and open software is about your freedom to modify and share software, not about taking no money.

Open source software still costs a lot of money to make, and people do pay for it. Typically, companies like RedHat, Facebook and Google (and plenty of others, like Apple, and even Mircosoft) hire engineers in to full-time positions to work on open-source projects. That's how most open-source projects are funded. It's how Webkit grew. It's how Linux is built.

OpenSSL needs funding, and the biggest companies that depend on it will probably provide more assistance in the aftermath of heartbleed I expect. OpenSSL is so crucial, and we've just found out how exposed it is.

if people are doing this work for the money, doesn't that defeat the point?

What exactly do you think "the point" is. To not be compensated at all in any way for your work?

I see a BSDish license as an indication someone wants their work to be available to anyone. Not a statement that the product itself must be kept purely a labor of love.

Yes, if people want to be compensated in cash for their work they sell it or become employed by others. I've always seen open source more as a kharma type of thing and never expected any compensation for my contributions

So go work on OpenSSL. Oh wait.

Having enough donations allows someone to work on this full time. People need to eat and pay rent/mortgage.

I can easily see a scenario where the overtired guy committed a bug to OpenSSL because he was working on it in his spare time from a paying job.

Many, if not most of us, do the same thing. We get home - we test out ideas, burn off steam, do thing THE RIGHT WAY instead of the way we have to do it at work, etc.

Except for a lot of us, our stuff doesn't go net-wide, or is not important enough, etc.

His did.

I will be making a donation at some point in the future when I can afford it.

And he's going to quit his job with your donations now? Tired people can still commit code they don't plan on hiring all of the contributors.

The point is to secure communications for everyone, for free. Being paid wouldn't defeat that point; charging for the result would defeat that point.

If they could pay one guy to manage and work on it, I'm sure that approve things.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact