We recently published our mission statement and values which included that our governance should be transparent. We’ve not really talked much about how we’re financed and where the money goes, so let’s make a start on changing that.
A little background for clarity: The OpenSSL project has two companies, registered in the USA. The first, OpenSSL Software Foundation, is a non-profit organisation that is used to hold the copyrights, trademarks, as well as things like the contributor license agreements (CLA). The second, OpenSSL Software Services, is our commercial entity that provides companies with paid support and other services, and pays our consultants to work on those services as well as development on OpenSSL. The OpenSSL project relies on funding to maintain and improve OpenSSL, and the goal of OpenSSL Software Services is to ensure long term sustainable funding to the project.
The Heartbleed vulnerability in 2014 highlighted the lack of funding of OpenSSL. The Linux Foundation therefore started the Core Infrastructure Initiative (CII) to gather funding from organisations, and they paid for two full time people to work on OpenSSL for three years, as well as a security audit. While we were extremely grateful for this at a critical time in the project, we knew that this model, and the funding itself, was going to only be a short-term interim measure. We have experimented with different ways to generate revenue ourselves, such as by accepting contracts (or sponsors) for specific features, such as platform support and FIPS. While these are helpful, they didn’t lead to reliable sustainable revenue.
We have organisations sponsoring us, both large corporate sponsors and smaller donations via GitHub sponsors. These vary year to year, and at the time of publishing this blog we have one platinum sponsor, one gold, three silver, and three bronze. There are also some organisations that provide their services at no or reduced cost. This funding helps to maintain the hardware and infrastructure but isn’t sufficient or stable enough to hire people.
So since 2020, our main source of income is by selling support contracts. Companies can purchase a contract if they need technical help with OpenSSL or if they need access to support for older end of life versions such as OpenSSL 1.0.2. Another driver for taking out such contracts is FIPS, where companies may wish to have FIPS compliant products with OpenSSL by rebranding our OpenSSL 3 FIPS certificate.
At the time of writing this blog we have just over 70 active support contracts. This has increased significantly in the last year. We started with a much smaller number of contracts mostly from companies that were using OpenSSL 1.0.2 and looking to have a year or two of backported fixes and support while they transitioned to OpenSSL 3. This year we gained a number of contracts from companies looking to use OpenSSL 3 and needing a rebranded FIPS certificate. Currently we’re getting interest from companies looking for short-term transitional support as they move from OpenSSL 1.1.1 (which becomes end of life later this calendar year). The needs of our customers will change over time, and we have to keep making sure we deliver value to our customers year on year.
This funding allows us to pay for eight consultants (at the time of writing this blog) to work full time on OpenSSL on engineering, management, and administration. Given the increased number of contracts this year we expect more positions to open up and we have a further 3 or 4 positions we are currently conducting interviews for. We also have other usual expenses (such as legal, administrative), as well as larger expenses (such as for services relating to FIPS certification and travel for conferences and face to face meetings).
We’re really glad that we’ve been able to move to a model where the OpenSSL project has a sustainable income source for the near future, helping us deliver on our important mission and values, to give everyone access to security and privacy tools.