[Geoserver-devel] funding security fixes discussion

I floated an idea in today’s meeting that I am bringing to the email list for discussion.

We continue to have security vulnerabilities reported (several came in this week) as is to be expected for a successful project.

So far the companies reporting security issues show no sign of being willing to pay to have these issues addressed. In a sense they have already contributed by hiring a security firm to review the code and report these failures to us.

The vast majority of fixes have been addressed by service providers on behalf of their customers, boundless on behalf of its product, or community volunteers (often trying to get a release out).

This approach is not able to sustain the high quality we have all come to expect from the GeoServer project.

From a sustainability point of view it does not matter who fixes these issues so long as they are fixed. I would like feedback on the following proposal to ensure it does not step on anyone’s business model or livelihood.

We have used OSGeo to run funding for code sprints. We can also add an OSGeo PayPal donate button to our page. Both of these approaches treat GeoServer as a charity and undervalue what GeoServer offers (see references). I would like to find a middle ground between charity and accidentally competing with service providers.

Idea:

  1. Set up “security fund” to put towards security fixes
  • operate half way between “code sprint sponsorship” and SAC small contract model
  1. Participants buy in and receive
  • Need to set the price high enough to be useful, say $5000 annually

  • Offers access to the geoserver security email list, which collects and discusses vulnerability reports as they reported.

  • We are “selling” visibility into security issues, not specific fixes

  • Based on issues (participants can now see) options are available
    Volunteer their own staff and resources to address the security concern
    Fast lane: engage one of our commercial support providers
    Slow lane: wait for issue to be collected by a small contract

  • security email list offers chance to coordinate testing with those working on fix.

  • open to any incidental perks (“secure geoserver” logo, t-shirt, souvenir handcuffs …)

  1. GeoServer Team
  • Contributors interested in security issues have already signed up to geoserver security. Currently work is divided up across contributors / organizations based on availability.
  • For issue of interest to your employer, you personally, or your customers you may have the availability or budget to respond
  • Set up a small contract each time there is enough issues (and enough budget) to address outstanding vulnerabilities.
  1. Small security focused contracts
  • Looking a T&M contract as security issues are hard to predict and we are not looking short change developer
  • Willing to set up a contract “paying full price” for short-term high priority turn around in event of active exploit. Budget permitting of course.
  • Majority of contracts expected to 'sweetheart rate" to be handled as a background activity to fit in-between normal “customer” work.

The above is based on security being a “roads and bridges” concern. Do not want to compete with contributors on new feature development or general bug fixes.

Sustainability references:

···


Jody Garnett