Heartbleed and open source

The Heartbleed bug was caused by a business model error. When we were in the real-time software business, our best customer was an old line manufacturing business that wanted to make sure before they qualified us as a vendor that we were making a profit from selling software to them. They did not want to depend on complex engineering products made by a company that would be unable to afford quality control process or that would not have a motivation to use quality control. This level of clarity is not all that common and the complexity of open source business models confuses people. Linux is a generally reliable system because RedHat is able to monetize the core business by virtue of being the “standard”, because a huge user base acts as first line testers, and because multiple other companies have clear business requirements that push them to invest engineering resources in the system. For example, the makers of network devices usually have professional engineering teams building and testing their drivers, so they can sell hardware. This testing, by necessity, also tests the network stack. But if you are not familiar with Linux development, and don’t see all the commits from people with email addresses in major technology companies, you might get the impression that this free software appears magically. That network of motivations is much weaker for a special purpose component like SSL code and the quality requirement is also higher. But the same problem can arise even without open source – where pricing for proprietary components is too low. The market involves multiple niches where open source economics or industry pricing assumptions cannot produce the required level of component engineering quality. Discovering and navigating those gaps may be the difference between success and failure.

Also posted on Linkedin and FSMLabs