The encryption code unlocked by the Heartbleed bug last week provided vital security for some of the most widely used websites on the Internet. Fortune 1000 companies rely on the open source code for their core business. But it turns out no one is paying for it.
The software that got infected — and later fixed — is OpenSSL. It’s supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. But the recent bug was like a gaping pothole.
The volunteer team at the OpenSSL Foundation couldn’t catch it because there aren’t enough of them to look. The group’s founder, Steve Marquess, says only one person works solely on the software. “Everyone else has outside obligations,” he says.
The group gets some money in corporate contracts. “Rather quite a bit — under $1 million,” he says. But that’s for company-specific work. In 2013, the group got just $2,000 for upkeep.
After news of the bug broke, one person on a popular tech forum joked the software could raise more money panhandling in a big city than it’s gotten online.
Ed Felten, a computer scientist at Princeton University, says OpenSSL is like public infrastructure without a tax base. It’s open source — meaning anyone can use it for free — but it’s so poor, it’s never had a complete security audit.
Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.
“A free rider problem means that someone can benefit from a project or a technology without contributing back to it,” Felten says.
High-tech companies are keeping quiet about the software’s financial woes. Facebook and OKCupid did not respond to NPR’s inquiry. Yahoo, Amazon and Google declined to comment. Cisco did disclose it does not gives checks to OpenSSL, but the company’s employees do actively help with code.
Many cybersecurity experts, including Felten, say that’s not enough.
“Somebody needs to be paying and putting in the work to ensure that components like OpenSSL are secure. It’s a job that some of the large companies could do individually and get together and do,” Felten says.
David Chartier, CEO of Codenomicon, the company that found the Heartbleed bug, says the crisis is not a cautionary tale in free riders and corporate accountability. Software — public or private — will always have bugs, and people have to come together as a team to deal with it.
“Never before have we seen the security community, and the general public together along with media move so quickly to get the word out,” Chartier says.
There is another silver lining. Marquess says since the bug was revealed, his group has gotten about $10,000 in checks.
“What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts,” Marquess says.
But given all the traffic on OpenSSL, that still doesn’t cover the cost of maintenance, he says.