The president of the OpenSSL Software Foundation has criticised governments and major companies for not providing funding to the project despite using the software, as the fallout from the Heartbleed bug continues.
Heartbleed hit the headlines last week when it was discovered that a major vulnerability existed in the secure sockets layer (SSL) technology used by web giants such as Amazon, Google and Facebook.
The error was traced to code submitted in late 2011 by a German programmer and raised questions about the effectiveness of open source projects if such errors can slip through.
However, Steve Marquess, the co-founder and president of the OpenSSL Software Foundation, has said the issues highlight the lack of responsibility towards OpenSSL shown by the wider technology community.
“While OpenSSL does ‘belong to the people’ it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support,” he wrote in a detailed blog post.
“The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted.”
In particular, Marquess singled out Fortune 1000 companies for not pulling their weight, despite many of them using OpenSSL within their products that are sold at a profit.
“The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it,” he wrote. “The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are.”
He also hit back at criticisms that it had taken more than two years to find the bug, by citing other recent security issues, such as Apple’s ‘goto fail’ error, and asked why others did not spot the bug either.
“The code was visible all along to the entire OpenSSL community and no one saw it. OpenSSL is used by many multi-national companies and major government agencies with huge resources who didn’t spot it," he said.
"There are many security researchers in the world who have found problems in OpenSSL and reviewed the code with a fine tooth comb. Finding this bug would have been a feather in the cap of any one of those security researchers
"So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often."
Marquess revealed that around $9,000 in donations had come in for the project since the bug was revealed, but said this was not enough to expect developers to work and maintain the code full time without funding.
As such, he said the time was now ripe for a proper funding system to be put in place for OpenSSL to ensure such a situation does not happen again.
"There should be at least a half-dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL," he said. "If you are a corporate or government decision maker in a position to do something about it, give it some thought."
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches