Subject: RE: Nessus 3.0's failed community
From: "Larry M. Augustin" <>
Date: Wed, 30 Nov 2005 08:35:04 -0800 wrote:
> I saw a survey that indicated that user's main perceived benefit was
> avoiding vendor lockin.

I wasn't referring to the end user's benefits, but rather to the competitive
benefits that a company like Nessus might enjoy by releasing their product
Open Source.

The discussion seemed to be focusing around community contributions to the
code.  I don't see that as the main benefit in many high-profile Open Source
businesses today.  To further clarify, my measure of "benefit" is to place
the P&L of the Open Source business side-by-side with the P&L of the
proprietary software business and look for some inherent advantage for the
Open Source business.  For example, lower development costs in the Open
Source business could mean lower total expenses allowing the Open Source
company to charge less to customers and undercut the competition on price.

To return to the discussion around community contributions, the theory I've
been developing over the past 3 years is that lower development costs are
not the most significant benefit to an Open Source company.  Yes, lower
development costs are a benefit.  But I think there's an opportunity to get
even more benefit (cost advantage verses proprietary competition) in sales &

If Nessus was approaching the community assuming they were going to get huge
community contributions to the core code, and that was going to be the major
benefit in being Open Source, then I would argue that Nessus' problem might
have been that they were looking in the wrong place for the benefits to
their business.

Maybe what the Nessus failure may be telling us is that Open Source business
models that rely primarily on benefits to the company in the form of lower
development costs are not viable.  The benefit has to be more than that.

This arguably makes sense if you compare a proprietary software company's
P&L verses and Open Source company's P&L.  On the revenue side, the Open
Source company makes little or no (depending on the Open Source model)
revenue due to license fees.  That's typically about 30% of a proprietary
software company's revenue.  If we eliminate 30% of revenue, and revenue
that is 90%+ gross margin to boot, we need to eliminate nearly 50% of the
proprietary software company's expenses as well.  (Lot's of assumptions in
that number, but for a typical proprietary software business the gross
margin contribution of license revenue is in the 40% to 50% range.  That's
the dollars you need to cut from expenses.)  My point being that lower
development costs are not going to make up the difference.

I'm going to repeat that because I've been rather long-winded here and it's
my major point.  Lower development costs are not going to make up the
difference.  You need to look at other expense lines to make the numbers
work.  In particular, proprietary software companies spend a lot more on
sales & marketing than they spend on development.  As a result there's a lot
of opportunity to make a difference there.  If you can cut sales & marketing
costs relative to your proprietary competition, then you can create big
business model advantages.


> > -----Original Message-----
> > From: Larry M. Augustin []
> > Sent: Tuesday, November 29, 2005 5:02 PM
> > To:
> > Subject: RE: Nessus 3.0's failed community
> >
> > Is this a failure of community, or a failure of business
> > model?  Most Open
> > Source companies I know don't get a lot of leverage
> > developing the core of
> > their software.  But that's not a big deal to them.  They get a lot of
> > benefits in testing, bug fixing, integration, and sales &
> > marketing.  In
> > fact, the sales & marketing advantages seem to outweigh the
> > R&D savings by a
> > significant factor.  The benefit of Open Source to the
> > developing company
> > doesn't seem to be contributed code.
> >
> > So I wonder if Nessus isn't looking for the benefits of being
> > Open Source in
> > the wrong place?
> >
> > Larry
> E-Mail messages may contain viruses, worms, or other malicious code. By
> reading the message and opening any attachments, the recipient accepts
> full responsibility for taking protective action against such code. Sender
> is not liable for any loss or damage arising from this message.
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee(s). Access to this e-
> mail by anyone else is unauthorized.