A new model to sustain and grow important open source security projects
The Crash Override Open Source Fellowship
We love open source, we create open source, we consume open source, and like almost every other company, government and software user in the world, we rely on open source.
So how come if open source is the fabric that powers the world that so many important open source projects are in crisis?
Underneath the surface of what seems like a healthy and vibrant developer community, are countless stories of software engineers working to the point of exhaustion, struggling to maintain open source projects in their personal spare time. They are all too often tearing their hair out, frustrated by a lack of time and lack of basic resources, while commercial companies profit from their work.
The result - developers perpetually trying to keep the lights on for others, feel the need to either commercialize the project, or worse still abandon it. When that happens, the world loses important security tools that reduce risk on the Internet, and the world is faced with abandoned projects like OpenSSL and Log4J that can become a global security pandemonium. This is everyone's problem.
There are a number of traditional models for funding open source. One of the best known is to sell support services, perhaps the best known example being Redhat, where those support dollars were used to generate commercial revenue, and in the case of RedHat become a 30 billion dollar company. RedHat also embraced a model called open core which is where projects like our open source project Chalk, are sustained by a commercial company with a direct dependency on the project itself. We operate as an open core business and Chalk is at the core of our platform. There are numerous other non-commercial models such as one where companies like Google and Microsoft support open source through grants, often via foundations like the Linux Foundation.
These existing models are proven to be effective, but they don't work for everybody. Many projects don’t want to start a commercial business, they just want to build great software, and most of them don’t have the experience to do it anyways. Grants are few and far between, temporary in their nature, and usually require significant overhead to obtain in the first place. Many projects do not like the bureaucracy, pace and size of foundations.
Like the global environmental crisis, improving the sustainability of open source is a complex problem to solve, involving commerce, politics, human nature, and perhaps most complex of all, it’s one that requires collective action. It is far too easy for everyone to stand on the sidelines saying it's not their problem to solve, or that it is too big and too complex that anything they do won’t have a meaningful impact.
Today we are announcing the Crash Override Open Source Fellowship, our approach to making an impact to sustain and grow important open-source projects in the security industry using socially responsible marketing as the mechanism.
The Crash Override Open Source Fellowship is a program where we adopt important security projects that need help. We provide full-time employment to their core developers, enabling them to independently work on their projects four days a week, and for them to work on related open source security projects on the other day. We also provide resources including design services, legal help, an operating budget for things like hosting and swag, and perhaps most important, business advice and support to help them become independently financially sustainable as a non-profit organization within two years. It’s like an incubator for non-profit open source.
So how does it work? We first partner with a project that we think is important to the security industry, but is struggling to support itself or fulfill its potential. Under the program, we employ up to two developers full-time for up to two years, covering all of their employment, benefits, travel and expenses, and the costs to operate the project.
The project itself maintains 100% of the ownership, roadmap and governance, but must commit to a simple criteria.
They must commit to a long-term non-profit financial model. This is not a commercial incubation scheme.
They must operate using an OSI approved license.
They must commit to running the project in the best interests of the community.
There will be other criteria as we learn, but as of today it's that simple.
So you may well be asking “What do Crash Override get from it and how can they justify doing it?”.
We want to be totally transparent. We are a venture capital backed commercial company, and have to justify how, and why, we are spending money to our investors. We decided to do this rather than follow a common industry model of setting up a security research team, to find and publish vulnerabilities that will get eyeballs on our brand and product. Not only has it become increasingly hard to cut through the noise of everyone else doing it, we don’t think it is helpful to the industry as a whole.
We consider the fellowship to be what is called ‘socially responsible marketing’, where we can target our marketing money to an important cause, and still be able to still get eyeballs on our brand and product in return. We hope it will be a win-win, and by paying it forward, we hope that the industry will in return see us favorably. If it works we can rinse, repeat and scale.
We are committed to balancing our needs with what is appropriate for an open source project so you won’t see a brand takeover or any nascar style ads, but you will see links back to us and integrations with our open source projects that are mutually beneficial.
Who are the initial recipients? The first project we are supporting is ZAP, a dynamic application security testing tool (DAST), first released in 2010. It has an estimated 80 thousand monthly users and is run over a million times a month, but after thirteen years at OWASP and small scale sporadic sponsorship over the years, was unable to sustain itself or fulfill its true potential.
We hope other companies will follow suit, and together we can start a movement of using socially responsible marketing to improve the state of open source security tools, and the security of software using open source for everyone.
As always you can keep up with news on our company, our open source projects and now the Open Source Fellowship on our newsletter by signing up https://crashoverride.com/newsletter
We have cross posted this to our company LinkedIn page for discussions and comments.
There will be more news coming shortly about the Software Security Project. You can sign up for news about that at https://softwaresecurityproject.org