8 years ago, Heartbleed was estimated to have cost at least 500 million USD. Since then, many more vulnerabilities were granted infamous names, including a few whose damages are estimated at the same magnitude. And yet, despite everything which was written about EU-FOSSA and the Core Infrastructure "Initiative", only roughly 10 million € were spent on all these projects.
For some time, hope in OpenSSF has started appearing, thanks to its approach and reasonable orientations. When Log4Shell erupted, OpenSSF's future was quite questionable. But this year, while some big challenges remain, it is acquiring an unprecedented credibility, with involvement from the White House, and a plan whose ambition would have been unthinkable prior to Heartbleed.
The main question now is whether it can find enough funding for these ambitions. Tens of millions of USDs would have been miraculous before the advent of crhypetocurrencies, but we remain far from the short-term target.
148 M USD may be little in comparison to the costs of the ongoing software chaos, yet the tragedy of the commons will most likely prevent even reaching that, once again. Unless - perhaps - the EU and the USA can join and demonstrate what collaboration can make possible?
2024-04-02 Update: funding security
How far have we come to that, almost 2 years later? OpenSSF's website doesn't even prominently list its contributors. Wikipedia's article only mentions the initial 30 million USD in pledges. OpenSSF's 2023 annual report merely mentions that Alpha-Omega was "awarded over $4.9M in grants toward securing open source in 2023".
As OpenSSF's efforts remain mostly a plan, reality has started hitting, with professionals scaling back on FLOSS.
2024-10-09 Update: funding criminals
As ransom payments are exploding, estimates of ransomware damages keep varying widely, but with an independent estimating that payments alone exceeded a billion USD/year, the scale of our underinvestment in security has become clearer than ever. Our collective commitment to security is orders of magnitude smaller than our commitment to criminals, who keep investing in becoming more and more efficient, and more and more profitable.