If there's a poster child for the challenges facing open source security, it may be Werner Koch, the German developer who wrote and for the last 18 years has toiled to maintain Gnu Privacy Guard (GnuPG), a pillar of the open source software ecosystem.
Since its first production release in 1999, GnuPG has become one of the most widely used open source security tools in the world, protecting the email communication of everyone from government officials to Edward Snowden.
Yet Koch found himself struggling to make ends meet in recent years. The estimated $25,000 he collected on average in annual donations since 2001 weren't enough to support his efforts. As reported by Pro Publica, the 53-year-old was close to throwing in the towel on GnuPG when Edward Snowden's NSA revelations shocked the world, convincing Koch to soldier on. "I'm too idealistic," he said.
The story has a happy ending. After the ProPublica story broke, donors from around the world rushed to support Koch. He easily surpassed the $137,000 fundraising goal he had set to support his work, enabling him to hire a part-time developer. Koch was awarded a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Facebook and the online payment processor Stripe each pledged $50,000 a year to Koch's project.
Underfunded projects, as GnuPG was until recently, form part of a vast open source ecosystem unprecedented in scale. Widespread reuse of open source code fuels today's surging technology development, but the sheer volume of that code discourages security vetting. Only recently have we begun to confront the problem, often on the heels of security breaches that embarrass the industry into action.
Will code for food
The conditions that left Koch high and dry for years are not unusual.
After Google researcher Neel Mehta uncovered Heartbleed, a serious and remotely exploitable vulnerability in a component of OpenSSL, the software community was shocked to learn that the project was largely the responsibility of what Jim Zemlin, executive director of the Linux Foundation, referred to as "two guys named Steve." Dr. Stephen Henson and Steve Marquess labored part-time to keep the code up to date, compensated by a few thousand dollars a year in voluntary contributions.
Technology vendors who rely on open source were quick to swoop in and set the OpenSSL project to rights. The Core Infrastructure Initiative that gave GnuPG's creator a $60,000 grant was established months earlier to help fund the work of Henson and others on OpenSSL. Financial support is provided by such Silicon Valley giants as Amazon, Adobe, Cisco, Facebook, and Google.
A thousand eyes blink
Heartbleed wasn't the first killer open source bug. For example, the Apache Struts vulnerability predated it by almost a year and was at least as serious.
Sign up for CIO Asia eNewsletters.