The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL James Walden
[email protected] Northern Kentucky University Highland Heights, KY ABSTRACT larger, as OpenSSL was the default cryptographic library for An- Context: The Heartbleed vulnerability brought OpenSSL to interna- droid devices, and more than one billion Android devices shipped tional attention in 2014. The almost moribund project was a key in 2014 [34]. security component in public web servers and over a billion mobile At the time of Heartbleed, the OpenSSL project was largely devices. This vulnerability led to new investments in OpenSSL. inactive, except for an ever-growing number of unaddressed issues. Objective: The goal of this study is to determine how the Heart- The project had no full time developers, and the OpenSSL Software bleed vulnerability changed the software evolution of OpenSSL. We Foundation received about $2,000 per year in donations [21]. There study changes in vulnerabilities, code quality, project activity, and were no policies for handling issues or vulnerabilities. OpenSSL software engineering practices. had no release plan, and the project was still supporting version Method: We use a mixed methods approach, collecting multiple 0.9.8, which had been released in 2005. Project source code was types of quantitative data and qualitative data from web sites and complex and difficult to understand and maintain, while the project an interview with a developer who worked on post-Heartbleed team was small with static membership [13]. changes. We use regression discontinuity analysis to determine The goal of this case study is to understand how the OpenSSL changes in levels and slopes of code and project activity metrics project responded to the Heartbleed vulnerability.