« Changes to British law target criminals, but affect the entire security industry | Main | PCI Council clarifies Requirement 6.6, ends ambiguities »

No such thing as Open Source business model

April 16, 2008

I started my open source project, ModSecurity, back in 2002. It was initially just a hobby, something I did in my spare time. ModSecurity grew in popularity, so in 2004 I decided to form a business around it. Thinking Stone was born. I sold Thinking Stone to Breach Security in 2006, and that was the end of my first start-up. (But not the end of ModSecurity, which continues to flourish.)

I will freely admit that I didn't have a business plan. I knew instinctively that the product was good, and I generally focused on improving the product while supporting the growing user base. Everything else I let happen organically. This "strategy" worked out all right in my case, but, in retrospective, I should have invested more effort into commercialising the user base. My luck could have went the other way just as well.

In researching how Open Source relates to business today, I've discovered a very peculiar fact: there is no such thing as an Open Source business model. There are a few companies promoting themselves as open source, but if you dig deeper you uncover that, if they are making any money, it is coming from the proprietary bits, not from open source. If there are any companies making money today from supporting their open source products, chances are they are just in a transient phase moving away from that model because there's essentially no money in it.

A typical lifecycle of an open source company looks like this:

  1. Build a product people want to use. Make it free and open source, because you want to grow the user base as quickly as possible.
  2. Perfect lead generation and nurturing, which is the key skill you need to have in order to be able to convert users into customers.
  3. Sell training and support, because that's easy to start with.
  4. Sell subscriptions, because support does not scale well and is just not sticky enough.
  5. Create proprietary versions/add-ons/tools, because everything else you did so far failed to make you any real money.

It seems to me that companies are now open sourcing products because it's an effective distribution strategy, and also because they have to—everyone else is doing it. However, because there's no money in true open source, they end up selling proprietary versions, and we (the consumers) are essentially back where we were prior to the open source revolution.