Open Source Initiative board election results scrapped after security hole found, exploited to rig outcome

The Open Source Initiative (OSI) on Friday said it will redo its recent Board Election after uncovering a voting irregularity that affected the results.

"This week we found a vulnerability in our voting processes that was exploited and had an impact on the outcome of the recent Board Election," said Deb Nicholson, interim general manager for the OSI, a non-profit that oversees the Open Source Definition and advocates for open source software. "That vulnerability has now been closed."

The Register asked OSI whether anyone could provide further details about what went wrong.

"At this moment, we’re aware of at least one case where an entity voted more than once," said Nicholson in an email to The Register. "We will share more when we can, but we want to make absolutely sure that we understand what happened first."

Asked to clarify the nature of the vulnerability, Nicholson replied, "It was a vulnerability in our processes and the way we use our database."

OSI uses open source voting software Helios but insists the issue had to do with "an internal piece of our process, not Helios."

The advocacy organization plans to conduct a forensic investigation to understand what happened and to prevent it from happening again.

One possible motive for rigging the vote would be to change the definition of "Open Source" and what the organization promotes and lobbies for, to make it more "industry friendly" and less "freedom respecting," suggested Bruce Perens, one of the founders of the open source movement and the creator of the Open Source Definition, in an email to The Register.

"For example, OSI has worked against royalty-bearing patents in standards, generally against IBM and Qualcomm (not just those two), who you will notice have seats on the steering board of the Linux Foundation," he said, an organization has previously described as "loggers who claim to speak for the trees."

Despite tech industry support for the Open Source movement, corporate interests are not always aligned, he said.

Perens gets pithy

Perens, who co-founded OSI alongside Eric Raymond in 1998, resigned from the organization last year because it had come to support software licenses that he argued were not "freedom respecting."

In recent years, he said, there's been a separate concern that the OSI board could be bought for less than $100,000. Pointing to the 2020 election results, by which the winners were seated with vote totals of 224 and 198 respectively, Perens observed that the cost to cast a vote is only the $40 membership fee.

"It used to be that they accepted members during the election, and this was indeed when the most people joined," he said. "So, you could pay and vote in the same web session!"

With the introduction of both institutional and individual board members, Perens said it has become more difficult, though not impossible, to subborn the institutional seats. But he remains concerned about the possibility.

The slate of people up for election this year is unchanged from the list posted on March 3, 2021, so it appears none of the individuals running for a board seat have fallen under suspicion of voting more than once for personal gain. OSI's use of the term "entity" rather than "individual" suggests that an affiliate or sponsor organization voted too many times.

We've asked OSI about this and were told, "We're still working to separate process vs. intent and will let you know more when we have more." So OSI has yet to make a public determination about whether the vote manipulation was intentional.

The Board Election, which opened on March 5, 2021, and closed on March 16, 2021, was to fill two OSI Board of Directors seats and two Affiliate Member Board seats. Those who cast votes have been asked to do so again, starting on March 23, 2021, and ending on April 2, 2021, 1800 GMT. ®