At Zama, we believe in Kerckhoffs’s principle: that security by obscurity cannot exist. The only way to feel confident about a cryptosystem’s security is to have the community try to break it and fail. In practice, this means we need to publish our results and open source our implementation.
As an ambitious startup, we have dedicated vast resources to build our technology, with the expectation that eventually we will become profitable. Profitability is necessary to achieve our vision — to make the internet safe by encrypting everything end-to-end — because it enables us to be independent and free from external influence.
A common belief is that open source and monetization are incompatible. Not only is this incorrect, but it is also dangerous when it comes to cryptography: it makes companies sell proprietary technology that hasn’t been validated by the community. If, instead, companies utilized an open-source approach, they would benefit in many ways:
A decade ago, open source was thought to be the lesser version of proprietary software. This is no longer true, and many industry giants were built on top of open-source projects: MongoDB, Datastax, Elastic Search, Docker, Mapbox, … These companies share the distinction that their business models combine at least two of the following revenue streams: support, hosting, proprietary features and dual licensing.
The most common and simplest model for open source companies is to offer premium support. When a company adopts an open-source solution, they typically require help integrating it, maintaining it and debugging it. Relying purely on community support won’t be enough, as there is no guarantee that a response will be given promptly, if ever.
Although anyone could sell support for a given open-source solution, the company behind the solution will often be the preferred choice as they are more likely to know the internals and be able to ship custom patches swiftly.
The disadvantage of relying on support alone is the stress it places on human resources, making it hard to scale. It is, however, essential, and thus must be offered eventually.
Another good way to monetize is to host the solution for other companies, thereby making it easier to integrate, maintain and debug. Take MongoDB as an example: you can either use MongoDB directly and host it yourself, having to patch it, etc; or you can host your data on Mongo’s SaaS platform, letting them do all the work and paying only for what you use.
The advantage here, of course, is simplicity for both the provider and the customer, but the disadvantage is the need for consumer trust in the host. As an open-source company, it also means SLA guarantees are a necessity, which involves heavier internal processes to guarantee uptime, etc.
Sometimes keeping some features closed source is acceptable, in particular when it doesn’t prevent the community from using the core solution. Automated backups, integration, hardware acceleration and other options are all more convenient if available, but they aren’t deal-breakers and can be kept closed-source and sold as enterprise features.
Choosing what to open source and what to sell as a premium feature can be tricky, however, and many companies have burnt themselves following this open-core business model. It also doesn’t create as much defensibility, as large companies can easily replicate the enterprise features and sell them as their own.
The idea behind dual licensing is that some open-source licenses have provisions that make it difficult for proprietary software companies to use the open-source code commercially.
For example, GPL licenses include a copyleft provision, meaning that when a company distributes software that incorporates GPL code, they have to make their own software freely available under GPL as well. There is a debate currently, however, on whether using AGPL in a SaaS product would trigger the copyleft provision. Some claim SaaS isn’t distribution and thus it doesn’t trigger the provision. Others maintain it does. The Free Software Foundation has a good article specifically on this issue. Further, this is the reason that MongoDB and Elastic Search are using a modified GPL license that specifically addresses SaaS usage.
Another example is the BSD3-clear license, which is completely permissive, without copyleft, but doesn’t include a patent license (the original BSD3 license did not mention patents at all, creating an ambiguity that the BSD3-clear version resolves).
These legal constraints create an opportunity for monetization of the open-source software:
There are other possible models available as well, such as a dual commercial/non-commercial license. But regardless of which model is used, the idea is always the same: big proprietary companies would much rather pay a license fee than worry about the potential legal risks of using open source code.
At Zama, we have thoughtfully chosen the BSD3-clear dual licensing model. We want to allow anyone to use, fork, extend and distribute our software for free for development, research, prototyping and experimentation purposes.
There are several things that motivated our choice:
All these requirements are nicely addressed by our BSD3-clear license scheme:
We reviewed, in detail, every other major license, and decided to avoid them for the following reasons:
We believe that our users and partners deserve to know the risks they take using our code, which is why we have made things very simple: do whatever you want as long as it’s non-commercial, or purchase a license if you want to use our code for commercial purposes.
Additionally, we have purposefully omitted consulting as a business model, as we don’t consider it to be viable for startups. Consulting is great if you want to be a consulting company, but not when you want to be a product company.
Hopefully by now you are convinced that going open source can be profitable for your company. We need more open source in our industry because too many critical infrastructures rely on opaque code that hasn’t been audited. That creates unnecessary risk for all of us.
It’s time to build big businesses that actually make the internet safer!
News, research and product releases