Bugcrowd, the bug bounty marketplace driven by crowdsouring, has launched a donation campaign in order to help pay for a security audit of OpenSSL. The hope is that such an audit will prevent another Heartbleed.
The Bugcrowd campaign came into existence after the start-up heard about Steve Marquess' (the President of the OpenSSL Software Foundation) response to questions about code audits in the aftermath of the Heartbleed disclosure.
"We simply don’t have the funding for that," he said, referring to a formal security audit of OpenSSL.
"The funding we have is to support food and rent for people doing the most work on OpenSSL. The irony here is everyone uses it and no one supports it financially."
His point is a valid one. OpenSSL is one if the most popular implementations of SSL/TLS on the Web, and it's used by organizations both large and small, including a majority of the Fortune 500 / Fortune 1000.
Yet, the project itself is maintained by a tiny group of developers. This small group has little to no help from the outside when it comes to security, which is tragic given that Heartbleed could have easily been detected by a security audit in the code.
In an attempt to help address this situation, Bugcrowd is gathering donations in order to fund a proper security audit.
In an open letter to the security community, Bugcrowd said that the crowd funding campaign will help pay bounties for those who participate in the OpenSSL audit.
[W]e will raise money that will encourage crowdsourced security testing, so we can root out any other vulnerabilities in OpenSSL. Not every Internet user can contribute code or security testing skills to OpenSSL, but with a very minor donation to the fund, everyone can play a part in making the Internet safer.
We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort. 100% of what is raised will be offered to the security research community...
So far, the campaign has raised more than $5,600, nowhere near the target goal of $250,000, which would enable a complete audit of OpenSSL. The question is, while individual support is important (and the showing so far is strong), where are all the corporate donations?
The Fortune 500 / 1000 has built applications and services on the backs of the coders who produce OpenSSL. Even if they don't donate money, why not donate a developer's time and have them audit some code?
Firms such as McAfee (Intel), Symantec, Kaspersky, Cisco, Google, Yahoo, Microsoft, Juniper, PNC, JP Morgan Chase, Bank of America, Comcast, Time Warner, Verizon, AT&T, and Sprint all use OpenSSL in their products and services.
But I was unable to see any link between them and OpenSSL development. Given the hype and drama over Heartbleed, how can some of the Web's largest firms sit back and watch as others work to fix the problem?
But remember, this isn't about money; it's about leveraging the security community's talent pool to help prevent something like Heartbleed from happening again. Time and knowledge is sometimes just as valuable to projects like OpenSSL as money, and in some cases, such things are worth even more.