Open Source Economy is a new nonprofit organization formed by maintainers of several critical Java libraries to build a safer, stronger Java ecosystem and avert incidents such as Log4Shell. What makes this attempt different?

The drill is well known and here at IProgrammer we have covered it many times before. Companies, Organizations, Institutions, heck Society itself stand on the shoulder of giants, that is open source software.

That's fine, but the issue is that this kind of software is maintained by volunteers doing their best, without the time or resources to meet the scale of responsibility, best documented in "EU Bug Bounty - Software Security as a Civil Right" :

It is amazing to think that the OpenSSL Software Foundation which is responsible for the maintenance of the OpenSSL library, the cornerstone of safe transactions on the Internet used by millions of websites and organizations, receives just $2000 of donation money per year and has only ONE full-time employee working on the library. All that was revealed after the discovery of the Heartbleed bug, something that finally shook the waters and motivated the big industry names to support the foundation with proper funding.

Many other CVEs followed till we reached the Log4Shell incident which impacted millions of systems and cost companies worldwide enormous sums. Surely with that kind of responsibility there should be a steady funding scheme in place and not just rely solely on donations in order to sustain the open source paradigm.

Fortunately there's attempts, mainly by the EU Commission and a few enterprises whose critical infrastructure relies on open source libraries. We examined the attempt in "EU Commission Reactivates Bug Bounties" :

After a period of inactivity, the EC Open Source Programme Office (EC OSPO) has awarded a contract for organizing bug bounties on open source software.

A State-sponsored bug bounty comes as refreshing news in that it shows that amongst the bureaucrats there are tech savvypeople who understand the true value of OSS software to society, and as such the impact when its security goes wrong.

Yet another attempt, but this time not related to funding but instead concerned with education and on field support, was Alpha Omega Project run by the Linux Foundation and backed by giants like Microsoft and Google. We covered that in "New Initiative For Taking Open Source Software Security Seriously":

The mindset is that it's best to prevent the bugs happening than racing to patch them as soon as they are identified. And that can only take place through educating developers to involve security as part of their software's lifecycle rather than treating it as an afterthought.

The foundation is taking a preventative approach which in essence aims to prevent the security related bugs happening in the first place, or identifying them quickly if they do. This involves technical assistance, use of manual code reviewing and whatever tools are appropriate to identify critical vulnerabilities. But the most important aspect is the mentoring they'll provide to the software's maintainers.

That is nice but the pressing matter is none other than funding. Bug bounties and sponsorships by the European Union or the Linux Foundation's SOS Rewards are welcome, but not enough since they're small in scale. So here is the point where Open Source Economy steps in, bringing a new approach to the table.

Instead of waiting for the next Log4Shell, the people that matter — maintainers of several critical Java libraries — came together to build a nonprofit partnership model between maintainers and the companies that rely on them in order to help build a safer, stronger Java ecosystem.

These maintainers involved in the project are those of several Java libraries that the OpenSSF has classified as critical — including Log4j, HttpComponents, FasterXML Jackson & Woodstox, SnakeYAML, luben zstd-jni, and more.

If your company understands the OSS situation and feels concerned about the long-term security and stability and the availability of support and bug fixes, it could be very well interested in exploring a formal partnership with the maintainers to ensure the sustainability and security of these libraries. That's what Open Source Economy is aiming for.

A potential partnership could offer:

• Guaranteed availability of security patches
• Access to Long-Term Support (LTS) versions
• Prioritized bug fixes (non-security)
• Direct access to maintainer's expertise for technical questions
• Help with operational issues (deployment, performance)
• Formal support with a Service Level Agreement (SLA)
• Private training or workshops for our team
• Ability to sponsor and prioritize new features
• Receiving compliance artifacts (VEX, etc.)
• Meeting regulatory compliance needs.
• Fulfilling corporate social responsibility or giving back to the open source community.
• Brand recognition

But in order to formalize the procedures, the organization is asking for your input to understand what challenges you face with those libraries and what kind of support would actually help you. Your feedback will directly influence how they'll prioritize efforts and design new ways to serve the Java community. The survey takes just 5 minutes and you can skip anything you're not comfortable answering.

Questions ask things like:

• Which versions of the JDK are you using in production?
• Which JDK vendor are you using in production?
• Does your enterprise pay a subscription fee for the JDK you are using?
• Which of the following (list) libraries do you use regularly?
• Have you ever encountered any issues (e.g., bugs, security vulnerabilities) with those libraries?
• etc

The anonymized results will be shared publicly.

So take a few minutes to fill the survey. It could be prove a big deal in the long term. Link below.

More Information

Open Source Economy

Take the survey 

Related Articles

EU Commission Reactivates Bug Bounties

New Initiative For Taking Open Source Software Security Seriously 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info