Skip to content

Instantly share code, notes, and snippets.

@paragonie-scott

paragonie-scott/query.md

Last active July 27, 2016 15:10
Show Gist options
  • Save paragonie-scott/399bde3c7a0568c9e519e30ccb969a56 to your computer and use it in GitHub Desktop.
Save paragonie-scott/399bde3c7a0568c9e519e30ccb969a56 to your computer and use it in GitHub Desktop.
Download ZIP
Any Interest in Hardened-{$PROJECT HERE}
Raw
query.md

Would you (or the company you represent) consider paying money for an extension/plugin for whatever platform you currently use that fixes security faux pas?

For example:

  • WordPress doesn't securely store passwords.
  • Drupal only uses emulated prepared statements.
  • Magento has _____ (will fill in after it's public).
  • Most CMS projects don't offer secure automatic updates. (WordPress's implementation is insecure. Drupal is working on it.)

There are two ways we could approach this:

The Totally Open Approach

  1. We build the extension/etc.
  2. We release it on Github and make it available via Packagist.
  3. You'd be paying us for support and feature development.

If this project becomes exceedingly popular, we'll also pay forward to other open source projects (e.g. the Composer and PHPUnit teams) whose work our extension would build upon.

The Not-So-Open Approach

  1. We build the extension/etc.
  2. We release it through proprietary channels.
  3. You'd be paying us for access to the extension, which will still be "open source" (and likely GPL because most platforms are), but only to subscribers.

Which way do we go?

Let me be completely honest: My spare time for open source has been dwindling lately. Developing then maintaining these security-hardening extensions for various CMS platforms will take a substantial investment of time, and that time could be better spent on doing work for PIE's (paying) clients.

I need to know two things:

  1. Do you want this to exist?
  2. Are you (or your employer) willing to pay money to develop/maintain these features?

I'd like to know one additional thing, if possible: What sounds like a fair price to you?

This is roughly how I'm going to make this decision:

  • If nobody wants this, I'll move on.
  • If a lot of people want this...
    • ...but nobody is willing to pay for it, I'll move on.
    • ...but very few are willing to pay for it, I'll go with the not-so-open approach so it's worthwhile.
    • ...but plenty are willing to pay for it, I'll go with the totally-open approach.

Ultimately, I want to be fair to the community without being unfair to myself. I'm sure many other open source developers can sympathize with this.

Who are you anyway? How do I know you can deliver?

I'm on the Paragon Initiative Enterprises team. Most of what I do involves creating and improving software-- a lot of it is open source. Companies often hire us to leverage our PHP security expertise (and/or cryptography experience) to prevent their business-critical applications from being hacked.

I also have published a lot of open source security research.

My name is Scott Arciszewski. I'm @CiPHPerCoder on Twitter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment