The existence of Hearthbleed Bug showed us there are a lot of dirty clothes in the closets of many tech companies as well as the U.S. Federal Government. The ''founder'' of problem - OpenSSL is being used by all the giants of Internet world, including Google, Facebook, Dropbox etc. These companies earn billions of dollars thanks to many who supervise their security. Steve Marquess, the president of OpenSSL told the full story in an open letter. Here is a small part of the letter:
''Lacking any other significant source of revenue, we get most of ours the hard way: we earn it via commercial “work-for-hire” contracts. The customer wants something related to OpenSSL, realizes that the people who wrote it are highly qualified to do it, and hires one or more of us to make it happen. For the OpenSSL team members not having any other employment or day job such contract work is their only non-trivial source of income.''
It is hard to believe, but, only one man is working as a full-time employee for OpenSSL. His name is Stephen Henson, and few other developers help him. Together they amount to ONLY two full-time employees. Their job is to supervise more than a half millions lines of codes.
According to Steve, OpenSSL has never received more than $1 million a year and typically receives about $2000 a year in outright donations and sells annual commercial software support contracts worth US$20,000 along with both hourly rate and fixed price “work-for-hire” consulting.
The Open SSL Foundation doesn’t have funds for its staff and is highly ignored by companies. Steve wrote, “These guys don’t work on OpenSSL for money. They don’t do it for fame (who outside of geek circles ever heard of them or OpenSSL until “heartbleed” hit the news?). They do it out of pride in craftsmanship and the responsibility for something they believe in.”
“I’m looking at you, Fortune 1000 companies,” he said.