The recent Heartbleed vulnerability of OpenSSL shaken the whole Internet. Yet such incident might not be a total surprise because OpenSSL only had one full time employee and received $2000 a year as a donation [1] before the incident. Such support is by no means enough for the developers to produce high quality code and test the software product comprehensively. I guess the even hackers who keep searching for vulnerabilities inside OpenSSL have much more funding.
But the situation is changed now, as tech giants agreed to fund OpenSSL for at least 3.9 millions in three years. Even a Chinese mobile company, Smartisan, announced a donation of 1 million yuan ($160,000) [2]. You might already feel the strangeness of this event: a mistake makes millions of money!
The more astonishing thought is that if OpenSSL developers did a better job by not introducing the vulnerability, then they will still starving and suffering in poverty! This paradox does not only apply to OpenSSL, but probably to every company that needs security. For such a company, if the security team is doing a good job, then the company's CEO might feel the security team is redundant because nothing bad happens. Although the CEO might not that dumb to fire the security team, nonetheless the CEO could not appreciate the effort of the security team and might not raise their salary. Thus for the security team, there is hardly any incentives to do better. Rather, they might just want to meet the minimum requirements, or even accept some security incidents to attract the attention from company managers.
Do you know how to break this paradox?
References:
[1] Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL. http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/
[2] http://www.ithome.com/html/android/86232.htm
[3] The picture. http://www.paradoxproductions.com/pics/tritwo.gif
