Open Source Security Foundation gains recognition... and funding?

admin Saturday May 28, 2022

8 years ago, Heartbleed was estimated to have cost at least 500 million USD. Since then, many more vulnerabilities were granted infamous names, including a few whose damages are estimated at the same magnitude. And yet, despite everything which was written about EU-FOSSA and the Core Infrastructure "Initiative", only roughly 10 million € were spent on all these projects.

For some time, hope in OpenSSF has started appearing, thanks to its approach and reasonable orientations. When Log4Shell erupted, OpenSSF's future was quite questionable. But this year, while some big challenges remain, it is acquiring an unprecedented credibility, with involvement from the White House, and a plan whose ambition would have been unthinkable prior to Heartbleed.

The main question now is whether it can find enough funding for these ambitions. Tens of millions of USDs would have been miraculous before the advent of crhypetocurrencies, but we remain far from the short-term target.

148 M USD may be little in comparison to the costs of the ongoing software chaos, yet the tragedy of the commons will most likely prevent even reaching that, once again. Unless - perhaps - the EU and the USA can join and demonstrate what collaboration can make possible?

2024-04-02 Update

How far have we come to that, almost 2 years later? OpenSSF's website doesn't even prominently list its contributors. Wikipedia's article only mentions the initial 30M $ in pledges. OpenSSF's 2023 annual report merely mentions that Alpha-Omega was "awarded over $4.9M in grants toward securing open source in 2023".

As OpenSSF's efforts remain mostly a plan, reality has started hitting, with professionals scaling back on FLOSS.