Welcome ZAP to the Open Source Fellowship

esterday we announced the Crash Override Open Source Fellowship, a program to support important open source security projects, and that ZAP was the first project we are supporting.

Like many people in appsec I had heard of ZAP, but my first real exposure to the team was in late 2021 when I met Simon Bennetts, the projects leader at the OWASP Conference in San Francisco. I was joining the OWASP Board of Directors the following year, and wanted to get a jump on understanding the community problems first hand that I had heard about and knew existed.

Along with Simon, I met quite a few project leaders of highly successful projects that were frustrated by the lack of support OWASP was able or willing to provide, something that later resulted in the Open Letter to the OWASP Board.

ZAP is somewhat of a phenomenon in the open source security tools world, with an estimated 80 thousand active monthly users, and is run approximately 1 million times a month. ZAP is also embedded into many commercial tools and SaaS services and used by thousands of consultants. The fact that leaders of highly successful open source security projects, used by tens of thousands of people, run millions of times a month, and generating millions of dollars of cash for other people, were having to do things like putting their personal credit cards into online services that they needed, and run their own equivalent of ‘go fund me’ pages to keep the lights on, was frankly sad.

Over the last decade, financial support for ZAP development has been sporadic, generally bouncing between Simon working for startups embedding ZAP into their core product, and small sponsorships and donations while at OWASP. Like many open source projects, it has a few heroes working in their own time for the benefit of the tens of thousands of users. That is just not a fair trade.

I offered to help the ZAP team and others raise funding, something I initially thought and was led to believe would be relatively easy. The Linux Foundation quickly stepped up to fund the ZAP core team as part of a new community effort called the Software Security Project, but withdrew funding at short notice at the end of last year. As a company we stepped in to cover them, and worked with them to develop the Open Source Fellowship program.

ZAP is a perfect fit for our help.

• Is an important tool to improve security for everyone on the Internet

• Has an established large and active user base

• The team do not want to become a for-profit company

• The team want to grow the project rather than just sustain it

• The team can benefit from our business experience in developing and operationalizing a funding model

We are excited to be working with ZAP, and have initially been helping them develop a long term funding model. After exploring all the options, that is based on providing paid support, something that has been requested in the past by quite a few users. Their model will also involve professional services to help companies effectively deploy and use ZAP as well as development work to customize and extend it.

If the ZAP team is unable to make the preferred model of support and services work for them, it is likely to also dual license the project using a copyleft license, effectively forcing many commercial companies making money from it, to have to buy a dual license. If ZAP is to become financially sustainable and remain 100% independent, then it must explore all models until it finds one that works.

We encourage you to head over to the ZAP site to learn more. If you are a ZAP user, we strongly encourage you to purchase a support contract. 100% of the money goes back to the project to maintain and grow the product you are using.

As always you can keep up with news on our company, our open source projects and now the Open Source Fellowship on our newsletter by signing up https://crashoverride.com/

There will be more news coming shortly about the Software Security Project. You can sign up for news about that at https://softwaresecurityproject.org