marco (updated by marco)

In defense of the OpenSSL project, the article OpenSSL code beyond repair, claims creator of “LibreSSL” fork by Jon Brodkin (Ars Technica) cites its OpenSSL Software Foundation President Steve Marquess “describ[ing] OpenSSL’s struggle to obtain funding and code contributions.”

““I’m looking at you, Fortune 1000 companies,” Marquess wrote. “The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are.” […] As for Heartbleed, “the mystery is not that a few overworked volunteers missed this bug,” Marquess wrote. “The mystery is why it hasn’t happened more often.”(Emphasis added.)”

The emphasized text is what we should all learn from this experience.