Open source projects would benefit from a funding system that would secure funds for future development.
Chris Wysopal, CTO of Veracode, said that the model which Wikipedia uses to ask for cash donations could work for open source projects to ensure that a developer could be paid to fix future escalating flaws.
He said: “I wonder if when you downloaded OpenSSL, it said ‘donate $1 to make sure that there is a security audit done’ how many would pay? I think that would fund an audit and fix of the software that you are reliant on. It is interesting that the Wiki foundation has been successful with the model of small donations but we’ve not seen it with open source, but I wonder if it is coming.”
Wysopal said that if you go back ten years, many articles were on whether open source was secure and whether it can be trusted, and over the years there have been vulnerabilities, but as there are vulnerabilities in all software, open source should not be singled out.
“So now we have come to a more mature place where we know there are vulnerabilities and we want to use it, so let’s try and secure it,” he said. “The industry is heading in the right direction, but it is slow to make these changes.”
The concept of crowd funding for open source was welcomed. Brian Honan, CEO of BH Consulting, said that financial support is welcome for any Open Source project as it can help fund resources such as hosting.
He said: “One of the biggest challenges open source security projects face is getting skilled people involved in the project. If we had more skilled individuals willing to give up their time to help work on the project we may get a better return on that. It would be great if vendors who integrate such tools would donate some of their staff resources to the projects or encourage their staff to contribute. Money helps a lot but skilled resources would help more.”
In an email to IT Security Guru, Chris Boyd, malware intelligence analyst at Malwarebytes, said: “I don’t think there’s a problem donating to open source software, as that’s been happening for many years.
“The key difference here is that people would be asked to donate for something that’s essentially critical to the functionality of the software in question. Not everybody would pay, so there’s a danger that those contributing would ask ‘What’s in it for me?’ when their donation has a positive impact on all software users.
“The obvious answer is that ‘It works as intended’ but the success of Kickstarter in recent years could lead to the development of a tiered rewards programme for those who want an added incentive.”