We are looking for participants for this interview study on the communities behind cryptographic FOSS projects and security challenges that maintaining such software entitle!

People who…

• have experience with maintaining and contributing to FOSS cryptography projects
• are 18 years of age or older
• are comfortable participating in an interview on this topic in English

Participants will…

• fill in a short preparatory questionnaire
• book a time slot for an online interview of about 60 minutes
• answer questions on their experiences and opinions during the interview
• be offered a compensation of $65 for their time and effort

FOSS cryptography projects: For us, cryptographic FOSS projects are projects that require extensive knowledge of cryptographic functionalities for their proper implementation. Therefore, we are interested in both maintainers of cryptographic libraries (e.g., the OpenSSL variants) and software with primarily cryptographic use cases (e.g., certbot, Enigmail).

About this study #

The purpose of this research is to systematically investigate the contributor structures and attribution practices behind open-source cryptographic implementations. By mapping out which individuals contribute, what expertise they bring, and how contributions are managed and verified, the study seeks to uncover the social dynamics that influence the robustness of these libraries. Understanding these aspects will contribute to the discussions around the security of critical open-source projects and may derive recommendations for protective measures, policy recommendations, or community-driven interventions for these vital components.

Motivation #

Open-source libraries that implement cryptographic functionalities play a critical role in the software ecosystem, as they usually protect and secure the most vulnerable parts within a software product. Open-source cryptographic libraries, such as OpenSSL, Libsodium, and Bouncy Castle, are integral to countless software applications ranging from web browsers and cloud platforms to embedded systems and mobile apps. Despite their widespread use, the security and correctness of these libraries depend on extremely complex codebases and advanced cryptographic concepts (e.g., key exchange protocols, random number generation, and low-level optimizations like SBOX settings) that can be properly understood and verified only by a small subset of experts.

This high level of specialization, combined with the open and distributed nature of their development, raises important questions about the resilience, trustworthiness, and sustainability of these projects. In addition to the technical complexity, the social and organizational dimensions of such projects (e.g., contributor diversity, governance models, transparency practices, and handling of responsible disclosures) play a crucial role in determining their long-term reliability. A lack of insight into these structures may expose systemic risks that undermine the trust placed in these critical infrastructures.

Research Questions #

1. What is the general contributor structure for OSS cryptographic implementations? We are eager to learn what the distribution between core maintainers and external contributors is and what kind of organizational affiliations they have.
2. Who is contributing to OSS cryptographic implementations, and what are their professional, institutional, or geographic backgrounds? Also, what motivates people to contribute to this kind of projects? We seek to uncover the profiles of contributors to OSS cryptographic implementations, including their professional expertise, institutional affiliations, and geographic distribution. We also want to explore the personal, social, or organizational motivations that drive them to engage in such highly specialized and security-critical projects.
3. How do OSS cryptographic libraries handle attribution of contributions, and what mechanisms are in place for accountability? Previous research has shown that some information provided by code hosting platforms like GitHub are not verifiable and we want to find out how cryptographic communities deal with that problem.
4. Do OSS cryptographic implementations pose special security challenges compared to other open-source software projects? We want to learn if and how these projects with the complexity of their products and the potential security implications (e.g., stricter review requirements, secrecy tensions, dependency risks).

Study procedure and participation #

We value and appreciate your contribution to our study. As briefly described above, participation includes a small sign-up questionnaire of 5-10 minutes, at the end of which you can freely choose an interview time from our available slots. Participation in an interview will take about 60 minutes. During the interview, we are interested in your experiences and opinions on maintaining free and open source cryptographic software.

We are committed to maintaining your privacy and the confidentiality of all data you provide. We will only use short quotes from the interviews in our publication with your approval, and make sure that you cannot be identified from our reporting. After the interview, we offer a compensation of $65 for your time and effort.

Who we are #

We are a research team from the state-funded CISPA Helmholtz Center for Information Security in Germany. Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.