A look at the complicated business of funding open source software development.

It was just before midnight on New Years Eve, 2011, when Stephen Henson broke the internet.

The 43-year old British software developer had accepted a small change to the code for OpenSSL, an open source encryption protocol that secures a substantial portion of the web. The fact that it was open source meant that anyone could see its code online and volunteer to help write code for the project. But just because anyone could contribute didn’t mean many people did.

Henson had spent more than a decade working on OpenSSL with a small team that never consisted of more than three or four other core developers. By late 2011, he and the other core OpenSSL developers were responsible for maintaining a codebase that consisted of nearly a half million lines of code, the vast majority of which was either written or approved by Henson himself. This was no small responsibility, either. OpenSSL was used to secure the web servers used by two-thirds of all active websites on the net, as well as email servers, chat servers, VPNs and the network infrastructure of military, government, and financial institutions.

The code change that Henson approved on that fateful night in December had been submitted by a German developer named Robin Seggelmann who helped write the “heartbeat” standard in OpenSSL. Henson and Seggelmann had been workshoping the code for weeks before it was approved, but nevertheless failed to catch a bug that would allow an attacker to intercept information that was passed to any site secured by OpenSSL.

Seggelmann would later admit that the bug in the code, now known as Heartbleed, was “quite trivial,” even though it will go down in history as one of the most dangerous software vulnerabilities ever discovered. For someone as experienced as Henson, it should have been easy to spot and fix—but everyone makes mistakes. In fact, Heartbleed lived in the OpenSSL code for nearly two and a half years before a coder at Google spotted it in 2014 and the vulnerability was fixed. Still, the bug continues to live on hundreds of thousands of devices, many of which are unlikely to ever get patched.

OpenSSL is just one of thousands of open source software programs that millions of people rely on everyday for tasks that range from browsing the web or watching videos to real time translation or using voice recognition on their smartphone. Each of these projects is open source, which means its code is freely available for anyone to look at or use as they see fit.

Since its inception, one of the biggest selling points of open source development was what the software developer Eric Raymond called “Linus’s Law,” or the idea that with enough people looking at some code “all bugs become shallow.” Thus, after the Heartbleed bug was patched, the biggest questions on everyone’s mind was how such a critical vulnerability could go unnoticed for so long and whether similar bugs lurked in the code for other open source projects.

As Steve Marquess, the former CEO of the OpenSSL Foundation noted in a blog post after the fact, the cause of Heartbleed was attributable to developer burnout and lack of funding. According to Marquess, the foundation was operating on a budget of less than $2,000 in donations and under a million dollars in contract revenue annually. The foundation couldn’t take on more contracts because its developers, many of whom had full time jobs and families, simply didn’t have the time.

In fact, Marquess wrote, Henson was the only OpenSSL developer working on the project full time—and for a fraction of what he could have made taking his considerable technical skills elsewhere. “These guys don’t work on OpenSSL for money,” Marquess wrote. “They don’t do it for fame. They do it out of pride in craftsmanship and the responsibility for something they believe in…knowing that [they] will be ignored and unappreciated until something goes wrong.”

Clearly, something was broken with a system where the security of the global internet was almost entirely supported by the selfless efforts of one overworked and underpaid programmer. As for who was to blame, Marquess pointed to the “commercial companies and governments who use OpenSSL extensively and take it for granted.”

“I’m looking at you, Fortune 1000 companies,” Marquess wrote. “The ones who include OpenSSL in your products that you sell for profit. The ones who nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift.”

Marquess and Henson both left OpenSSL in 2017, but not before securing the immediate future of the project. In their absence, the OpenSSL core development team has grown to seven people and the project is funded through at least 2021. This is mainly due to a substantial grant from the Linux Foundation Core Infrastructure Initiative, a project dedicated to distributing resources to open source projects that are critical to the security of the internet. The Core Infrastructure Initiative itself is funded through donations from major tech companies such as Amazon, Google, IBM, Microsoft, Facebook, and Intel. This grant means OpenSSL is safe—so long as these companies keep donating.

“I’m looking at you, Fortune 1000 companies, the ones who have never lifted a finger to contribute to the open source community that gave you this gift."

On the surface, the open source software community has never been better. Companies and governments are adopting open source software at rates that would’ve been unfathomable 20 years ago, and a whole new generation of programmers are cutting their teeth on developing software in plain sight and making it freely available for anyone to use. Go a little deeper, however, and the cracks start to show.

The ascendancy of open source has placed a mounting burden on the maintainers of popular software, who now handle more bug reports, feature requests, code reviews, and code commits than ever before. At the same time, open source developers must also deal with an influx of corporate users who are unfamiliar with community norms when it comes to producing and consuming open source software. This leads to developer burnout and a growing feeling of resentment toward the companies that rely on free labor to produce software that is folded into products and sold back to consumers for huge profits.

From this perspective, Heartbleed wasn’t an isolated example of developer burnout and lack of funding, but an outgrowth of a systemic disease that had been festering in the open source software community for years. Identifying the symptoms and causes of this disease was the easy part; finding a cure is more difficult.

Like Marquess, many developers see open source’s growing pains as a mostly financial problem that could be fixed if giant tech companies would contribute more resources to the open source software projects they depended on. This would, in theory, allow developers to dedicate more time to focusing on open source projects and incentivize other programmers to contribute to projects.

It’s not enough to just throw more money at the open source community, however. Increased funding creates its own problems in terms of how that money is distributed and what the organizations supplying the funding demand in return. Indeed, there is a risk that an influx of capital could destroy the community-driven foundation that has sustained open source development for nearly half a century.

To understand the current debate about the economics of open source software, it’s necessary to consider it in the context of its historical development, which can be traced back to the MIT Artificial Intelligence laboratory in the early 80s.