Google, Amazon, Facebook, and Akamai (off the top of my head) will each pay that without batting an eye; that's $480k/yr. right there. I imagine they could probably get some banks in that club as well.
If I find a vulnerability in code from a project which is pulling this sort of stunt, I will make sure I share details with distributors only under the strict condition that they are not allowed to tell the project about it.
Responsible disclosure usually means "start by telling the authors", because usually the authors know who needs to be contacted and will do that responsibly. If they're just going to sell off exploits to the highest bidders, they should have no role in the disclosure process.
Given how important OpenSSL is to the web's infrastructure (and the many companies who utilize it), I think there would be value in ensuring it has appropriate resources to fulfill that duty. This idea may not be a perfect solution, but calling it a "stunt" is hyperbole, IMO.
In my years as FreeBSD Security Officer, we in very rare cases gave advance notice of vulnerabilities to end users, and those decisions were made on the basis of "we happen to know that these people are using the software in a way which makes them particularly vulnerable". (In most or all such cases we didn't even provide a patch, just a warning of "make sure you have people around at 10AM tomorrow in case you need to release an update quickly".)
Nobody ever got advance notice by virtue of having donated money, and I reminded Security Team members that they should not give any advance disclosure to their employers.
Yes it is. If you disclose early to a select group, you are by definition delaying details to everyone else.
The paid early disclosure stuff used to exist all over the place, and it was a joke in terms of it being immediately leaked to those in the know.
What would you say if this was worded more like Patrick's "priority support" clause in his analysis of Tarsnap?Practically it would just mean they send an email to the priority support list before they send it to the listserv. I still think major enterprises would get on board.
Mail servers are fast enough these days that I don't think that it really matters what order the emails go out in. Maybe someone would want to pay to get a phone call when an advisory goes out, though.
I have no objection to providing support for paying customers, e.g., to help them figure out if they're affected by a bug. But money should not result in you hearing about a bug any earlier.
The goal is to give businesses who are already in the early-warning club an excuse to write $10k checks every month. The intention was not to solicit anyone and everyone.
It would continue to only be offered to organizations who are (in the collective opinions of the OpenSSL project leaders) going to neither leak nor use the vulnerability -- exactly what happens today.
They would be allowed to (and, I'd hope, would) waive the fee if a major stakeholder were obstinate about it, because (I hope) they actually care about the security of the Internet.
Also it assumes the OpenSSL team are the first to know about vulnerabilities. Heartbleed has shown that's not always the case.
2. Wait for next vulnerability
3. Immediately sell details to hackers via bitcoin
Unless critical vulnerability is exploited in the wild, it should first be disclosed to big Linux distributors so they can prepare patches and to companies responsible for critical Internet infrastructure so they can fix their system before telling general public. With this proposal you just charge companies who can afford it membership fees and provide this service for free to open source/non profits who could not afford it.
I don't know a lot about large companies, but I do know a little about getting small companies to give you money. Small companies are cheap, but there are a lot of us, and if you only need $800K, well, that is 800 companies donating a grand a year each. There are many thousands of small technical businesses who can afford a grand a year.
So. First problem, for a small company? You need to give us something to buy. This helps out tax-wise, and it also makes the deal feel better. Hell, you can call OpenSSL a for-profit at that point, which means little paperwork for you, and if you pay out everything you get as salary, you have to pay the same payroll taxes on that either way anyhow, if I am not mistaken.
So, what can the OpenSSL people sell me without causing a conflict of interest? How about advertising? maybe give me a website badge. "OpenSSL sponsor" maybe with a silver/gold/bronze or something (or maybe even just the amount) - Also put me on the sponsors list on the OpenSSL website with a link to my website and maybe my tagline or a logo at the more expensive levels.
I'll take the grand out of my advertising budget and it's all above-board tax wise for me, and the paperwork is easy. I've bought advertising before.
You'd either want to talk to some senior in IT security or anyone above them, upto including the CTO or someone in risk management/liability. Doing sales to those people is most likely expensive, probably costing $10k+ per client which would be the cost of someone going to networking events, visiting prospects, presentations, documents etc.
In my experience paying yearly is much preferred to paying monthly in large orgs. due to the process that has to be gone through to purchase something (Longer than a year can cause budgeting problems).
This is why I'm suggesting something that can be sold online, at a price point that doesn't require per-customer sales effort. I don't have many $1000 per year customers, but I have a few; and I have a fair number of $500+ per year customers. I did not spend more sales effort on those customers than I did on my $100/year customers.
I say this as evidence that $1000/year is below the "high touch sales" threshold.
Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.
$1000, from experience, is below the level where you need per-user sales.
>Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.
I would suggest that for corporate sponsors, you make it more clear than Theo does that you are buying advertising, not donating money. I think selling a "I helped pay for software you use" website badge is a good way of doing that... but look at the mirrors.centos.org sponsors page. You are very clearly buying advertising space, in that case.
Heck, the CAs charge a lot of money for badges that mean nothing; The OpenSSL people could create a similar badge. "OpenSSL developer club auxiliary" or something.
It's a lack of,
>I'll call up and close 800 businesses for you and keep track of invoicing them. As well as do product management on getting something together that is something they can support. I don't need any resources.
And for invoicing at this scale, use cashflow accounting. The sale closes when you receive payment. There will be some work matching up checks to logos, but at $1000 a pop, the 5% of customers who don't write the account identifier on the check are worth tracking down.
You do need to do accounting, but you need to do accounting at the current $2000/year level, too. I don't think they are committing themselves to all that much extra work if they only get a few buyers.
I have... intimate experience with the "I got too many customers before I had sufficient automation" problem... and yeah, it is a problem when you have $50/yr customers. It is not a problem, I think, when your smallest customers are $1000/yr.
2) They need to coordinate with fortune 1000 companies to get their company listed as a United Way alternative.
3) They need to campaign the nerds in the tech community whose companies do United Way donations and ask that their donations are directed to the OpenSSL foundation.
This solves 2 problems: 1 is the immediate need for cash, and 2 is a reliable cash flow. We donate monthly. I currently give to a cancer non profit and a local hacker space. I would move my donations away from the hacker space for the foreseeable future of the OpenSSL guys did this.
Then it still doesn't guarantee they'll increase donations without marketing so people know about it. Until Heartbleed became public, I imagine few companies were aware that OpenSSL had so few resources and such great needs. They definitely need to capitalize and hope the bad press doesn't make large companies seek an alternative.
Virtus raised 1000 Euros in a month. https://www.bountysource.com/fundraisers/329-virtus-1-0-0
While the lib is an interesting one, it is a fringe library in a fringe space (Ruby). Still, it made half of what openssl made in a year in a month.
RVM, one of the Ruby version switchers/installers, raised 50k to fund the main developer a year of work on it:
Thats already 1/16th of your number.
Now, OpenSSL is _far more important_ than both of these but still doesn't manage to get funds? Sounds more like they just hope people to come because they want to.
Or, as it seems, about $2k.
Lots of corporate IT people can get away paying $300 for a cert and know $200 of that is going to a good cause.
It's not for the IT employee to effectively give away the companies money by buying something for more than they have to spend.
The decision to donate to a good cause is usually made by other people in the company.
By that logic, the tax accountant could argue that they should arrange a company's finances so they pay more tax, in order to pay for more "stability" by funding the government.
In this case, I think it's safe to assume that a $200 contribution to OpenSSL won't repay the contributing company $200 of improvements.
Paypal fees!? :) donates to foundation.
1) Simple redesign of home page,
2) Showing prominent sponsors who've paid more than some amount in the last 12 months (e.g. Google, Redhat, Akamai),
3) And leading contributors
4) And news other than vulnerabilities (e.g. code fixes, new tests, etc.)
It might not net $800,000 per year, but it would probably help.
Sending donors one of either:
a) a short story
b) a picture drawn in crayon
A central point of collection, but I can direct the donation to any project, and "EnterpriseOSSFoundation" just handles the messy admin.
There are an awful lot of CTOs who would be happy to "pay back" to projects if it looked legit on the budget and the brand was something the Chairman would hear about at the golf club.
No, I'm not saying they buy zero day expolits to be evil, but how else did they get 12 days notice?
Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.
I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.
A student group that I will soon be President of at the University of Northern Iowa received more in donations and financial support. Our student group is not the best managed, but we care a lot about large sponsors, keeping good relations with them, and making asks that matter.
If someone told me that panhandlers and Midwest student organizations are out-fundraising OpenSSL, I would scoff and laugh. OpenSSL? That's mission-critical software running on nearly every PC and post-PC device in the world. You know what OpenSSL reminds me of in this respect? SQLite.
SQLite charges $75,000 for consortium members to have 24/7 access to phone support direct to developers, guaranteed time spent on issues that matter to them, and so on.
The fact that this doesn't exist for OpenSSL is an embarrassment to project management. I made an offer in that email thread to try to raise $200,000 for OpenSSL by the end of 2014, and I'm repeating it here for visibility:
If you are an employee of a corporation that wants to donate to directly support OpenSSL development by funding staff time, send me an email right now: firstname.lastname@example.org
If you are in the OpenSSL foundation, send me an email right now and I will try to solve your problem by finding a phone number at every major OpenSSL using corporation and making an ask. Want me to do that? Send me an email right now: email@example.com
Telling an underfunded volunteer-run organization what they need to do rarely works. They're busy, they have lives, and they can't afford to make a mistake with their time which is already so acutely demanded. So I'm making an offer: I'll run the corporate sponsorship program, just give me the option to do so. I'm a student, I could spend four hours tonight calling contacts at businesses and public institutions, working my way up the ladder and making asks. Has OpenSSL ever just asked for money before? Asking for money is hard for many people, I don't know why, but I've done it before, so why not?
You seem to have found a niche you're good at, all I'd counsel you is to get better at managing impressions. I think what you want to do is great, and I think most HNers agree on that. But this doesn't seem like the appropriate forum to reach out in, and partly because of that and partly because of your wording, you come off sounding a little arrogant and like a salesperson. I think if you were less verbose, your intentions would shine through better.
And they're not selling Qualys on future contributions. They got their logo there, and it seems like it'll stay there forever. They are a "Past Contributor", and they get what could be prime corporate advertising space to security engineers for free every year they don't contribute. I can't tell if they're a current contributor, or how much it would cost to put $MY_COMPANY logo there. And I don't know why I would care, because it appears OpenSSL doesn't seem to care about who is paying year-to-year.
It says "Past or Current". That should just say "Current". Anyone who isn't a current contributor should get their name taken off. Also, where is Google? Apple? Microsoft? IBM? Oracle? Juniper? None of those names have logos up there. That should be fixed. Has anyone ever cold-called those companies and asked to talk to their sponsorship and corporate contributions groups?
Open source software benefits the entire society/humanity.
Therefor, it (or at least the most critical components, such as OpenSSL) should be funded by all governments in an internationally coordinated effort (tax payer benefits = tax payer pays).
If we can have internationally coordinated efforts such as NATO, why can't we have them for extremely important/basic elements of our society such as technology?
This is a very interesting question. The answer, most likely, is that the perception of security moves slower than the security concept[s] itself.
We come from an era where security was in most part physical, and we're transitioning to an era where it's much more logical; society though, is having a hard time adapting to the change.
For this reason, a technologist may see as obvious to take care or OpenSSL more than, say, building a tank, while a politician is stuck in with the latter only.
Also, I think we're only scratching the surface here. It's interesting, for example, to think of a parallel between the interests in keeping the world insecure. In practical terms, NSA has certainly a great interest in keeping security software broken even if used by the people it's supposed to protect; I wonder what was the parallel of this, 50 years ago, and especially, how is society going to react over the time.
"The North Atlantic Treaty Organization (NATO) .. also called the (North) Atlantic Alliance, is an intergovernmental military alliance based on the North Atlantic Treaty which was signed on 4 April 1949."
"The Warsaw Pact was in part a Soviet military reaction to the integration of West Germany into NATO in 1955, per the Paris Pacts of 1954 but was primarily motivated by Soviet desires to maintain control over military forces in Central and Eastern Europe"
They make it easy to setup recurring donations. I'm sure even a small amount every month makes a difference.
Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?
No, many BSD licensed projects have been created through other means. Partial sponsorship and user contributions (usually non-monetary) seems like a common path.
The problem with taxation is that it requires force, which implies a heavy burden of responsibility on the people allocating the funds after collection. It's really hard to figure out which projects should get funded, and how much, and avoid strange incentives along the way. I just don't think any group of humans could do a good job of this outside of very specific tactical funding (e.g. what the DoD does with some projects).
That's where a trusted intermediary probably has to come into play. The best thing I can think of at the moment is a version of Kickstarter that vets the candidate projects almost as thoroughly as a VC would and takes a cut for providing that service. Not sure how the business economics would play out in practice, though.
I imagine if the NSA was focused on defending businesses and not reading emails of people, they wouldn't be getting the same amount of financing. They are financed for their power to exploit people the government feels threatened by, not their ability to defend citizens from harm.
 - http://reason.com/24-7/2014/04/11/nsa-allegedly-knew-about-m...
In particular, I'd like to point out the "Privileged group" solution, which can occur when some individuals or organisations obtain enough personal benefit from a public good that they're basically willing to fund the good themselves, even if others are free riding. Many organisations obtain enough personal benefit from secure communications that it's worth it for them to contribute to OpenSSL.
There are lots of other ways of encouraging funding too. Hacker News is one place where the community constructs social norms around open source contributions.
And if you have only one really large donors, you get them to give you a check. And then you put their name somewhere. And you send them some thank you letters. And you ask for their advice on how to talk to their friends, as maybe they might also want to donate. Because patio11 is just dead-on right: it is more useful to increase the incoming money here, not avoid losing some fees :/. But again: even if we choose to nitpick fees... this conversation is still going nowhere if the distribution of donations and the process of receiving them (if you have mostly random donations, having them do bank transfers is going to massively increase the loss rate ;P) is not where the discussion started.
I highly doubt the engineers want to be 'managed' by a marketer looking to raise money.
Most engineers should be able to make that in an hour. Heck, I'd be happy to pay that myself personally.
Given the amount of money in tech, and how critical OpenSSL is to the internet, nobody should even be worrying about costs. The only question should be why every major tech company isn't already writing them a $xx,xxx check.
if this were a Dutch organisation (and I could spare that kind of money ...), I could either fire up my online banking and transfer it without any costs, or use the (slightly easier) iDEAL option and it'd cost them about 50 eurocents + 0% per transaction.
not even just for the Dutch btw, since recently, if they have an IBAN bank account number, you can just transfer money there (well, not to the US, apparently, but in the EU, parts of South America, Africa, Asia, ..)
Primarily because it's not tax-deductible. I try to restrict my charitable donations to things I can deduct.
The other reason I don't is that I'm not convinced it would be used effectively. They shouldn't be using small donations as their primary source of funding, they should be going after huge corporate supporters.
I'd be happy to donate $100 if it were tax-deductible and if OpenSSL committed to making the minimal effort of reaching out to major tech companies for substantive funding.
I think we need a score card for donating to open source projects, in the same way we have score cards for using green materials in devices, or using renewable energy for data centers. We should see periodic reports of how much money these companies donated to open source projects.
otoh, if there were a foundation that collected money and funded many projects..it'd look like apache perhaps..
personally, i wouldn't mind an option to donate to apache or openssl in a humblebundle, nor do i mind an option to stick a donate button/widget on my website..
or even better, have the widget rotate recipients..
Or has this now become a running joke? Was the posting of that link ironic?
1 week before, a module is declared the subject. at the time of the party, the major owners are on the hook for function by function questions, and line by line when it merits.
reddit? or even a special github community service.
It is critical for the future of the Internet that OpenSSL (or any alternative that might show up) does not have any other Heartbleed bug.
My grandma probably does not even know that ESP exists in cars. However, if the ESP stops working, then she could rightfully blame the car manufacturer.
Persons are not blaming OpenSSL as some imaginary entity, they blame people who are involved in making, reviewing, accepting and using OpenSSL.
It's not about open vs closed or "all code has bugs", it's about the OpenSSL project needing to rethink their security strategy and general guidance.
Open source software still costs a lot of money to make, and people do pay for it. Typically, companies like RedHat, Facebook and Google (and plenty of others, like Apple, and even Mircosoft) hire engineers in to full-time positions to work on open-source projects. That's how most open-source projects are funded. It's how Webkit grew. It's how Linux is built.
OpenSSL needs funding, and the biggest companies that depend on it will probably provide more assistance in the aftermath of heartbleed I expect. OpenSSL is so crucial, and we've just found out how exposed it is.
What exactly do you think "the point" is. To not be compensated at all in any way for your work?
I see a BSDish license as an indication someone wants their work to be available to anyone. Not a statement that the product itself must be kept purely a labor of love.
Many, if not most of us, do the same thing. We get home - we test out ideas, burn off steam, do thing THE RIGHT WAY instead of the way we have to do it at work, etc.
Except for a lot of us, our stuff doesn't go net-wide, or is not important enough, etc.
I will be making a donation at some point in the future when I can afford it.