The Heartbleed recovery starts with you and me

As we pick up the pieces after the OpenSSL meltdown, let's all reflect on why a globally important open source project had only one full-time developer

Page 2 of 2

I don't think it's fair or righteous to be all kinds of upset at OpenSSL or the development team. With closed source code we don't know what's going on under the hood until a zero-day exploit suddenly comes to light. Then we're completely beholden to the software vendor to issue a fix. That's a company we pay directly for the privilege of getting those updates and for the software to begin with.

To those who will try to claim that Heartbleed exposes a fundamental flaw in open source software practices, actually the opposite is true. The fact that once this vulnerability was found, it was fixed almost immediately, without the need to wait for any kind of official patch from the OpenSSL team, is a testament to how well open source works.

That said, if there's any blame to pass around for Heartbleed, it should fall on the entire software development community and software vendors themselves. Many commercial products leverage OpenSSL, but have never contributed a dime or a line of code. Nearly all Unix-like operating systems use OpenSSL, yet contribute little if nothing back.

All software gets QA'd, whether it's by paid QA engineers at the company developing the software or by developer peers and users of open source software. Bugs like Heartbleed can and should be seen and fixed very quickly when they occur, but we have no right to expect that if only a tiny group of people are reading the code.

As I said last week, OpenSSL has been taken for granted for too long. Maybe it needs a complete rewrite, maybe it doesn't. Maybe a few forks will ultimately do it good, or maybe the fracture will be too great to overcome. All I know is that we, collectively, are to blame for Heartbleed, if for no other reason than our ignorance.

This story, "The Heartbleed recovery starts with you and me," was originally published at Read more of Paul Venezia's The Deep End blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2