Heartbleed Pricetag To Top $500 Million?

darthcamaro (735685) writes "The Heartbleed OpenSSL vulnerability has dominated IT security headlines for two weeks now as the true impact the flaw and its reach is being felt. But what will all of this cost? One figure that has been suggested is $500 million, using the 2001 W.32 Nimda worm as a precedent. Is that number too low — or is it too high?"

Re:Low

[slashmydots]

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

Re:Whats the cost of writing your own library?

[SydShamino]

NPR this morning mentioned that, in all of 2013, OpenSSL received just $2000 in donations that they could use for "maintenance of the code base" work. (All of their other income was earmarked for specific work for specific customers.)

Funny enough, they said they've gotten some $10,000 this year, in the last few weeks, though note that most of this is small donations from other countries. There's no indication yet that any of the big U.S. corps most affected by this want to pony up the cash for a full security audit, though maybe some have employees working on it internally (for their own servers' versions, or maybe to share upstream).

I liked the analogy made in the NPR story, that OpenSSL is like public works infrastructure, except it has no tax authority for maintenance income. Not that I think paying for software should be mandatory, but hopefully some people will decide that, even when they don't have to pay "tax" on something, sometimes it's in their best interest to do so.

Maybe...

[charles05663]

Maybe the companies that rely on open source software will realize that supporting the projects financially is in their best interest instead of freeloading like they do now.