Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club should need to pay $10k/month (though of course membership in this club is still offered at OpenSSL's sole discretion, and they would be allowed to waive this fee).
Google, Amazon, Facebook, and Akamai (off the top of my head) will each pay that without batting an eye; that's $480k/yr. right there. I imagine they could probably get some banks in that club as well.
Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club should need to pay $10k/month
If I find a vulnerability in code from a project which is pulling this sort of stunt, I will make sure I share details with distributors only under the strict condition that they are not allowed to tell the project about it.
Responsible disclosure usually means "start by telling the authors", because usually the authors know who needs to be contacted and will do that responsibly. If they're just going to sell off exploits to the highest bidders, they should have no role in the disclosure process.
I'm not even sure where this comment came from, and how it applies. This isn't about delaying details to anybody (or, worse, hiding details from anybody), it's about providing details earlier to a group of people who have a strong enough vested interest that they are willing to pay for it and have been vetted as trustworthy enough to allow it.
Given how important OpenSSL is to the web's infrastructure (and the many companies who utilize it), I think there would be value in ensuring it has appropriate resources to fulfill that duty. This idea may not be a perfect solution, but calling it a "stunt" is hyperbole, IMO.
The FreeBSD Security Team works with other software distributors to make sure that they have advisories and patches ready when bugs are first disclosed publicly.
In my years as FreeBSD Security Officer, we in very rare cases gave advance notice of vulnerabilities to end users, and those decisions were made on the basis of "we happen to know that these people are using the software in a way which makes them particularly vulnerable". (In most or all such cases we didn't even provide a patch, just a warning of "make sure you have people around at 10AM tomorrow in case you need to release an update quickly".)
Nobody ever got advance notice by virtue of having donated money, and I reminded Security Team members that they should not give any advance disclosure to their employers.
Except you can't give security vulnerability details to everybody until you have a patch ready (and I certainly wouldn't argue that you should allow paying for earlier access to the patch). On the other hand, when you have a business relationship with somebody, with non-disclosure agreements in place, you can tell them more details much earlier.
Given that you are the exact type of person that I would want reviewing OpenSSL, thank you for your feedback!
What would you say if this was worded more like Patrick's "priority support" clause in his analysis of Tarsnap?Practically it would just mean they send an email to the priority support list before they send it to the listserv. I still think major enterprises would get on board.
Practically it would just mean they send an email to the priority support list before they send it to the listserv
Mail servers are fast enough these days that I don't think that it really matters what order the emails go out in. Maybe someone would want to pay to get a phone call when an advisory goes out, though.
I have no objection to providing support for paying customers, e.g., to help them figure out if they're affected by a bug. But money should not result in you hearing about a bug any earlier.
So, I for one am convinced at this point -- largely by your comments, but also the rest of the thread -- that this proposal would burn too much goodwill. I think charging businesses for "something" is an avenue that needs to be explored, but early notification is clearly not that thing.
So, people are definitely misinterpreting my suggestion. This is my fault, as looking back I stated it pretty badly.
The goal is to give businesses who are already in the early-warning club an excuse to write $10k checks every month. The intention was not to solicit anyone and everyone.
It would continue to only be offered to organizations who are (in the collective opinions of the OpenSSL project leaders) going to neither leak nor use the vulnerability -- exactly what happens today.
They would be allowed to (and, I'd hope, would) waive the fee if a major stakeholder were obstinate about it, because (I hope) they actually care about the security of the Internet.
You offer this membership only to trustworthy members of the community who have interest in keeping their services and products secure such as RedHat, Google, Facebook, Oracle, Debian and so on. I think you can trust people in Google not to exploit vulnerability and not to sell it for bitcoins.
Unless critical vulnerability is exploited in the wild, it should first be disclosed to big Linux distributors so they can prepare patches and to companies responsible for critical Internet infrastructure so they can fix their system before telling general public. With this proposal you just charge companies who can afford it membership fees and provide this service for free to open source/non profits who could not afford it.
someone below suggested hitting up all the multi-million dollar companies that use openSSL. A now deleted response said something to the effect of "sure, that's easy. I'll just call up the purchasing department."
I don't know a lot about large companies, but I do know a little about getting small companies to give you money. Small companies are cheap, but there are a lot of us, and if you only need $800K, well, that is 800 companies donating a grand a year each. There are many thousands of small technical businesses who can afford a grand a year.
So. First problem, for a small company? You need to give us something to buy. This helps out tax-wise, and it also makes the deal feel better. Hell, you can call OpenSSL a for-profit at that point, which means little paperwork for you, and if you pay out everything you get as salary, you have to pay the same payroll taxes on that either way anyhow, if I am not mistaken.
So, what can the OpenSSL people sell me without causing a conflict of interest? How about advertising? maybe give me a website badge. "OpenSSL sponsor" maybe with a silver/gold/bronze or something (or maybe even just the amount) - Also put me on the sponsors list on the OpenSSL website with a link to my website and maybe my tagline or a logo at the more expensive levels.
I'll take the grand out of my advertising budget and it's all above-board tax wise for me, and the paperwork is easy. I've bought advertising before.
The purchasing department is the last place you'd want to call - purchasing is department people in the org. go through to buy things, not the other way around.
You'd either want to talk to some senior in IT security or anyone above them, upto including the CTO or someone in risk management/liability. Doing sales to those people is most likely expensive, probably costing $10k+ per client which would be the cost of someone going to networking events, visiting prospects, presentations, documents etc.
In my experience paying yearly is much preferred to paying monthly in large orgs. due to the process that has to be gone through to purchase something (Longer than a year can cause budgeting problems).
>You'd either want to talk to some senior in IT security or anyone above them, upto including the CTO or someone in risk management/liability. Doing sales to those people is most likely expensive, probably costing $10k+ per client which would be the cost of someone going to networking events, visiting prospects, presentations, documents etc.
This is why I'm suggesting something that can be sold online, at a price point that doesn't require per-customer sales effort. I don't have many $1000 per year customers, but I have a few; and I have a fair number of $500+ per year customers. I did not spend more sales effort on those customers than I did on my $100/year customers.
I say this as evidence that $1000/year is below the "high touch sales" threshold.
I mostly thinking you'd go to big companies with something at the $100k/year level for membership - including some influence in project direction, code review methods, audits, features etc.
Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.
my main point here is that there is space between $50 and $100,000. Assuming OpenSSL doesn't have infrastructure, my suggestion is that they try to charge as much as they can and still stay under the level where you need sales.
$1000, from experience, is below the level where you need per-user sales.
>Selling something online, could work but the question is what do they get for their money? a t-shirt, name on website etc. Though in a world of kickstarter it could work if done right. This is a $50/yr deal for most which is 20k people to get to that same $100k with a lot more community work to keep up with those people.
I would suggest that for corporate sponsors, you make it more clear than Theo does that you are buying advertising, not donating money. I think selling a "I helped pay for software you use" website badge is a good way of doing that... but look at the mirrors.centos.org sponsors page. You are very clearly buying advertising space, in that case.
Heck, the CAs charge a lot of money for badges that mean nothing; The OpenSSL people could create a similar badge. "OpenSSL developer club auxiliary" or something.
The problem isn't a lack of
>I'll take the grand out of my advertising budget and it's all above-board tax wise for me, and the paperwork is easy. I've bought advertising before.
It's a lack of,
>I'll call up and close 800 businesses for you and keep track of invoicing them. As well as do product management on getting something together that is something they can support. I don't need any resources.
At this level, I wouldn't call anyone. In my experience, the best publicity is news stories written by other people. Many years ago, when I was the best ram per dollar deal around, a blogger's benchmark that made the reddit and hn front pages took my business from almost nothing to "I can quit my dayjob" money in a very short period of time. I bet if the OpenSSL folks announced this soonish, the sales work would be done by the media. In fact, I think this is the big advantage of the low-dollar small-business accounts. You can say "here is the deal, take it or leave it" and wait for people to take it. For the big corporate deals, you have to meet and call and actually sell.
And for invoicing at this scale, use cashflow accounting. The sale closes when you receive payment. There will be some work matching up checks to logos, but at $1000 a pop, the 5% of customers who don't write the account identifier on the check are worth tracking down.
You do need to do accounting, but you need to do accounting at the current $2000/year level, too. I don't think they are committing themselves to all that much extra work if they only get a few buyers.
I have... intimate experience with the "I got too many customers before I had sufficient automation" problem... and yeah, it is a problem when you have $50/yr customers. It is not a problem, I think, when your smallest customers are $1000/yr.
2) They need to coordinate with fortune 1000 companies to get their company listed as a United Way alternative.
3) They need to campaign the nerds in the tech community whose companies do United Way donations and ask that their donations are directed to the OpenSSL foundation.
This solves 2 problems: 1 is the immediate need for cash, and 2 is a reliable cash flow. We donate monthly. I currently give to a cancer non profit and a local hacker space. I would move my donations away from the hacker space for the foreseeable future of the OpenSSL guys did this.
A 501(c)(3) is expensive in legal work. Unless they can find a pro-bono lawyer, this puts the plan in the "it takes money to make money" category.
Then it still doesn't guarantee they'll increase donations without marketing so people know about it. Until Heartbleed became public, I imagine few companies were aware that OpenSSL had so few resources and such great needs. They definitely need to capitalize and hope the bad press doesn't make large companies seek an alternative.
I dunno. I think the effort might be worthy of the EFF's time if they have the expertise. I don't think that any EFF donors would be upset that they spent time to help OpenSSL setup a non-profit.
I'm less sure how OpenSSL can pull in large revenues on an ongoing basis, but I can tell you how it can easily attract significant money right now: do some bloody fundraising over the next few days or weeks! Just structure it as a crowdfunding drive and stick it up on Kickstarter or whatever for minimum hassle. (You might have to do a bit more work to also avoid tax, I don't know.) If they've attracted €3000 so far in donations without lifting a finger, imagine what they could do if they actually went out to capitalise on the publicity and the unhappiness generated by Heartbleed over the past few days. For that matter, a third party could do the Kickstarter, just as long as people can trust him/her/it not to run away with the money. I previously suggested giving the money to the Internet Bug Bounty pot instead of to OpenSSL itself https://news.ycombinator.com/reply?id=7566208 but obviously money could go to either, or to other relevant good causes.
Now, OpenSSL is _far more important_ than both of these but still doesn't manage to get funds? Sounds more like they just hope people to come because they want to.
Rounding error in donations, but easily $X0k+ to purchase proactive mitigation. It's not like (without loss of generality) Yahoo is a stranger to paying for engineers, security technology, software licenses, or insurance policies.
But you are not paying for a service, because funding OpenSSL is a classic free rider problem: the company would be better of not funding OpenSSL, even though all companies would be better off if they all funded OpenSSL.
By that logic, the tax accountant could argue that they should arrange a company's finances so they pay more tax, in order to pay for more "stability" by funding the government.
Does it matter about everyone else though? Your company values rock solid encrypted communication and it willing to pay a premium to ensure this it remains rock solid. The fact that everyone gets it is just a side effect of that.
They need to bring about exposure and awareness. Although I use it obviously daily in work and in life; I have never even thought of nor been propositioned to donate. I had no idea that it wasn't being supported by a large company. Call me naive, but they need awareness.
You're asking like it's the first time an open source project was sponsored by large corporations. Let's see, what's in it for google just in terms of PR? Developers it can attract? Ways it can get webmaster mindshare?
Upvoting because I think people misunderstand the nudge here: Dwarf fortress does both of these, and easily pulls in more money than OpenSSL by average. Sometimes up to twice as much if they just had a big release. (Which is - regardless how good dwarf fortress is - a shame).
