John Walsh Software Engineer, Core Development SSH Communications Security

By now anyone concerned with internet security has heard about the Heartbleed security vulnerability in OpenSSL.  What you may not be aware of is how much money and personal information is riding on this “free” security program and others like it (OpenSSH).  Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 

What you might not be aware of is just how under staffed and underfunded some of these “free” open source programs like OpenSSL and OpenSSH (OpenBSD) are. OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers.  The total labor pool for OpenSSL maybe adds up to two fulltime developers.  Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code.  Half of these developers have other things to do.

OpenSSH, part of the OpenBSD project, isn’t any better off.  OpenBSD includes a number of projects other than OpenSSH.  As with OpenSSL, OpenBSD gets relatively little in funding from industry that depends on it the most and relies on volunteers.  The OpenBSD project leader, Theo De Raadt, is concerned about the lack of funding from the industry.  In his own words:  "I think that contributions should have come first from the vendors, secondly from the corporate users, and thirdly from individual users. But the response has been almost entirely the opposite, with almost a 15 to 1 dollar ratio in favor of the little people.”

OpenBSD is so underfunded that it almost shutdown because it had difficulty covering just the electrical expenses for the project.  At the beginning of 2014 a request for funding was issued just to cover the electrical costs for the project.  OpenBSD developer Bob Beck suggests that the project will shut down completely if a more sustainable source of funding is not found.

It is ridiculous when you think about all of the business capital that depends on such grossly underfunded applications.  OpenSSL has never received more than a million dollar yearly budget and OpenSSH can’t pay its electric bill.   The OpenSSL foundation’s president, Steve Marquess, said “The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."

Marquess has noted an increase in donations and support for OpenSSL.  Even with this increase in donations OpenSSL is still underfunded.  Marquess says, the OpenSSL developers are not to blame for this security vulnerability; they did what they could with the resources they had.  The true culprits are those who take from the open source community without giving enough back.  It seems like people now realize they should pay more than nothing for the software that keeps their private information secure, but how long will the donations keep flowing and will they be enough?  Will open source users donate now that this issue is in the news and forget to donate later?

To read the full blog post, go here: http://www.ssh.com/blog/makesyoubleed