In the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricata, the very capable and well known open source network analysis and threat detection software.

When Kelley reached out to me to discuss the OISF, I couldn’t say yes fast enough. Open source foundations is one of the topics I want to discuss on a regular basis on Open Source Security. Kelley’s insight reveal the challenge of keeping critical security infrastructure funded, developed, and thriving in a world where open source isn’t free.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

The Foundation Paradox: “We Are a Nonprofit, We Are Not Poor”

When most people hear “open source nonprofit,” they envision an organization sustained by charitable donations and goodwill, it’s the “open” of open source. But Kelley explans this with a simple statement she often shares with potential partners: “We are a nonprofit, we are not poor”

Kelley then revealed one of the most misunderstood aspects of open source:

“Open source is a software development model. It’s not a business model.”

This distinction is a huge deal. While the code may be free to use, the infrastructure supporting its development, planning, and maintenance isn’t free at all. Even for weekend open source developers, what they do isn’t free, it’s just hard to understand the financial side of it. For OISF, this meant creating a consortium model where companies using Suricata could become financial supporters as a strategic business decision.

The consortium model Suricata has created is a bit different from the way a lot of other open source projects work. OISF functions more like what we would view a business rather than many other open source foundations. A lot of foundations seem to seek out donations and memberships. Suricata is a GPL application, but an organization that wants a non-GPL copy (and many companies looking to embed Suricata in their products do want non-GPL code) can get one, if they join the foundation as a sponsor. I have a suspicion this unique model is one of the reasons Suricata is still going strong after 15 years.

The Economics of Open Source Sustainability

The license choice forms the foundation of any potential business model around open source. OISF’s founders opted for GPL (GNU General Public License), which proved to be strategically valuable with the OISF model. This reminded me of the discussion last episode with Sheogorath and HedgeDoc using AGPL.

One of Kelley’s points during the discussion was “If you are a highly permissive open source license model like BSD, it will be very, very hard to fundraise”. The GPL license gave OISF the opportunity to offer a non-GPL version of Suricata’s code, creating a monetization path. If Suricata had a license such as BSD or Apache 2, there would be nothing stopping an organization from using the code without giving anything to OISF.

An interesting angle to all this, that’s maybe not obvious from the outside, is the companies that join OISF gain marketing from the foundation, they gain support from the developers themselves. This transforms the relationship from a license purchase or donation to a strategic partnership. There has to be value from joining a foundation. If a company can’t show some sort of benefit, it’s going ot be much harder to make that funding sustainable.

The Human Element: Keeping Developers Engaged

One of the most impressive achievements of OISF Kelly told me wasn’t financial sustainability (I mean, that was impressive) but human sustainability story was amazing. This is an industry where tech talent regularly jumps between employers for career advancement every couple of years, but the OISF has lost only one developer in 12 years.

The foundation employs 11 people, 10 of them are developers. This ratio speaks volumes about their priorities: direct investment in the technical talent that creates value. As Kelley explained, the consortium members know “all your funding is going to pay for those developers.”

While these developers could certainly command higher salaries in the private sector, there’s something powerful about working on a project that is working for the greater good. Purpose is an often overlooked aspect of why we do what we do. The foundation allows developers to focus on developing rather than constant worried about fundraising.

This stability is a big deal, probably one of the biggest deals we chat about. Unlike other open source projects perpetually in survival mode, OISF has been able to think strategically about the future. When you’re in constant panic mode, you can’t think about the future.

The human side of open source

Every successful open source foundation needs someone who handles the business aspects while developers focus on what they do best, develop. A lot of open source developers want to develop open source. Developers don’t want to manage business relations, they don’t want to do marketing, they don’t want to go find donors or members. Developers want to develop generally speaking

In the world of tech sometimes we like to think the code and the technology is the most important piece, it certainly gets the most attention. But without someone to keep the lights on, the technology won’t last long. Foundations are hard, but if you want your foundation to make it, you need these folks.

The Future of Open Source sustainability

The model OISF has created to keep development on Suricata going is very clever. It’s unlike what I see in other places. It feels like a great idea. It seems like there are almost constant discussions around how we can fund and sustain open source. Of course we’re leaving out the human angle in many of these discussions. But even if we only focus on the technical aspects, there’s a lot of challenges.

Maybe the model OISF has is something we should be looking at more closely. While it won’t work for everyone, it probably could work for some open source projects.