Addressing the question of why the OpenSSL project received such low levels of participation pre-Heartbleed, David A. Wheeler, an expert in government use of open source, suggests that it could be down to the choice of license. Within a longer work discussing many of the technical issues involved in addressing Heartbleed, Wheeler wrote:
I suspect that more code review and contributions would occur if OpenSSL used a standard widely used license
Could it be that potential community members were put off engaging with OpenSSL simply on account of the licensing decision?
Open source licenses play a number of roles within any project they are associated with. One role identified by legal scholar Eben Moglen is that of, “the constitution for the community.” In practical terms this means that the license chosen for a project lays down a base of expectations and norms that community members then operate under. Where those expectations and norms differ from those familiar to developers (especially if they include inconvenient requirements) they may simply avoid the project or use it with as little interaction as possible.
In the case of Heartbleed, this appears to be what happened. Developers, not wanting to deal with the complications arising from OpenSSL’s custom, non-GPL compatible license, kept involvement to a minimum, opening the project to a dangerous lack of scrutiny that manifested itself in the Heartbleed bug. To explore the issue further, read Simon’s InfoWorld Article.