National Computer Security Day – How Volunteers Fixed The Worst Vulnerability On The Web

It’s difficult to remember a time in which purchasing products online was little more than a pipe dream. Now, credit card transactions can be securely transmitted across the web without anyone’s data being compromised. A set of encryption tools developed in the late 1990s makes this possible. OpenSSL took the complicated task of encrypting data and made it easier for developers all over the world to adopt into their programs. And a small team of volunteers made it happen. Yes, volunteers.

It’s hard to imagine large teams of developers all over the world contributing free labor to maintain some of the world’s most important software tools. In many cases, contributing code to these projects is considered a public service. Some of the developers are professionals who contribute in their free time, some are students honing their craft, and some are god-knows-what.

It’s fair to ask, what if there’s a bug in OpenSSL? What are the incentives for these unpaid volunteers to fix it? No need to wonder about that when you consider the history of the “worst vulnerability found…since commercial traffic began to flow on the Internet.”¹

Development of OpenSSL continued in virtual obscurity. Outside of software engineering and national security circles, few people even knew what it was. But the project was soon to gain some national attention in the form of a bug nicknamed “heartbleed” discovered by an engineer at Google. Heartbleed, if exploited, could potentially allow hackers to gleen sensitive data (like credit card numbers and email addresses) being exchanged across the web.

A U.S. Department of Defense security consultant named Stephen Marquess, who had also contributed code to the project, helped create the OpenSSL Foundation in order to generate funds to keep OpenSSL alive. Marquess made a public call for support for the team to prevent future bugs from escaping detection for as long as heartbleed did:

“These guys don’t work on OpenSSL for money. They don’t do it for fame (who outside of geek circles ever heard of OpenSSL until “heartbleed” hit the news?). They do it out of pride in craftsmanship and the responsibility for something they believe in.”

Heartbleed turned out to be a blessing in disguise. The discovery of the bug generated more monetary support for the OpenSSL project. But the future may hold new complications. The open source business model—or lack thereof—makes it difficult to guarantee funding for important projects. You can donate to the OpenSSL project through their website, but there are many more software tools out there lacking the support to survive.

If you’re interested in supporting open source projects, here’s where you can start:

• Find the project website or GitHub page
• See who the contributors are
• Check to see if they are accepting donations
• Share the project with others
• Consider becoming a contributor

InMotion Hosting deploys hundreds of open source programs of all sizes and complexities with their hosting products and wishes to express their gratitude for the people behind the scenes who make it all possible by donating their time and intellectual resources.

Open source projects start up and fade away all the time. Without support from community volunteers or a sustainable business model, your favorite project might disappear. So get involved today.