If the organizations, companies, and governments that employ OpenSSL with their websites want to ensure that their sites stay secure from future threats like Heartbleed down the line, Steve Marquess, the president of the OpenSSL Software Foundation, asks that the entities which use OpenSSL donate more money towards its operations, the LA Times reports. Marquess made the case for additional funding in this blog post.
“While OpenSSL does ‘belong to the people’ it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support,” Marquess wrote. “The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted.”
Marquess specifically took members of the Fortune 1000, list to task in his note.
“I’m looking at you, Fortune 1000 companies. The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are.”
Marquess also names the U.S. Department of Defense in his note as an agency that could provide additional funding, calling an investment in OpenSSL a “no-brainer.”
MORE: How to check if your favorite website is vulnerable to Heartbleed
OpenSSL is a data encryption method employed by many websites that safeguard the data you type into your Web browser. OpenSSL contains a function known as a heartbeat option. While a person is visiting a website that encrypts data using OpenSSL, his or her computer periodically sends and receives messages to check whether both his PC and the server on the other end are both still connected, following a pattern similar to a heartbeat. The Heartbleed bug means hackers can send fake heartbeat messages, which can trick a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more. This web comic also explains how Heartbleed works.
According to Marquess, the OpenSSL Foundation only pulls in about $2,000 per year in donations, with the rest of its funding coming in via support contracts it honors, where part-time technicians assist clients with problems that are specific to them. Overall, the OpenSSL Foundation has never surpassed $1 million in annual funding. On top of that, then OpenSSL is understaffed, according to Marquess, with the entire team consisting of a single full-time staff member, and a handful of part-timers.
