Subject: dual-branding (was: Re: Paper on dual licensing)
From: David Kaufman <david@gigawatt.com>
Date: Wed, 04 Dec 2002 14:59:52 -0500

"Jack Hughes" <jack.hughes@mac.com> wrote:
>
> David Kaufman <david@gigawatt.com> wrote:
> >why not include Snort?  to me, their dual licensing strategy is the most
> >interesting.  ... playing down the fact that there even *is* an
> >open-source alternative has always seemed to me an obvious business
> >model. it may seem a bit deceptive, but really it's no more deceptive
> >than selling Chrysler cars under the Mitsubishi brand, is it?
>
> The last time I looked at the Red Hat main page it made no mention of open
> source. Why is that? Is it because the fact that something is open source
> isn't that important to most users who just want something that works?

that's one aspect of it.  RedHat, in the non-gratis Linux business, and
SourceFire, in the non-gratis Snort business, both have a need to position
the commercial product as easy to buy, easy to install, easy to use, etc.
while coincidentally open-source, so that the laziest customers, with deep
pockets and a desire to fulfill their instant gratification needs, can buy,
plug and play, while those customers digging a little deeper can still find
the value added by the commercial version... "okay, if i want to compile it
myself, i can get the free version, but if i want the GUI installer and
online updates, i can pay to get that" and this lets those customers (if
they buy) at least feel that they made an informed decision.  unhappy
customers who bought it and realized, only after the sale, that the
software was free (of cost) elsewhere, could loudly complain and provide
an awful lot of ugly anti-product viral marketing...

> Or, maybe Red Hat believes that being overtly open source might frighten
> off a part of the audience it is attempting to attract? Perhaps it is a
> combination of both.

but Red Hat is a different animal.  they did not create Linux and then
choose to dual license it;  they do not hold it's copyright (or copyleft,
whatever).  they *compete* with the open source Linux distros, which is not
an easy thing to do!

Snort OTOH holds it's own copyright, and *chooses* to dual license,
providing both versions to the public, one via www.snort.org for free, and
one via www.sourcefire.com, for a (decidedly fat) fee.

my fascination with Snort's business model stems from the fact that
SourceFire is an FSB created by the developer of Snort to make a living
from his open source software.  it has managed, by "Quietly Dual Licensing"
Snort, to maintain a healthy and vibrant developer community, happily
contributing patches to Snort's CVS tree, while simultaneously starting an
(apparently quite successful) business, complete with slick marketing and
high-end branding, to sell his little intrusion detection system... bundled
with $25,000 servers to run it on!

if that ain't a successful FSB, i don't know what is!

> The SourceFire company does say that it sponsors the snort
> project and is up front about it being a commercial variant of snort.

that's marketing double-speak.  of course SourceFire says they "sponsor"
Snort.  it makes them sound charitable.  in fact, they depend on Snort for
their very existence.

Marty Roesch is subtly positioned at the *bottom* of the Snort.org
"developers" page: http://www.snort.org/team.html but is in fact the lead
developer, original author and, not coincidentally, founded SourceFire in
2001 and serves as it's CTO
http://www.sourcefire.com/aboutus/mgmt_tm.htm#MartinRoesch

the existence of the Snort.org website, with it's free downloads, anonymous
CVS repository, purely free nature (libre *and* gratis), along with active
community of contributing developers, is not exactly *hidden* on the
SourceFire site, but it's buried deeply enough that the fact that the
software is available gratis is not what SourceFire wants corporate users to
find right away.  it wants corporate-minded visitors to find an
enterprise-class security *product*.

and therein lies the genius of it all :-)  SourceFire doesn't confuse the
non-developer with it's dual licensing details, as MySQL's website might.

the CTO who is not well-versed in the intricacies and legalities of the GPL,
who may hold only a vague distrust of al things Free, who does not care
about the cathedral *or* the bizarre, will find nothing to stop him from
completely trusting that a SourceFire security solution he pays thousands
(or tens of thousands) of dollars for will be just as "solid" and
"professional" as a Microsoft Commerce Server (another software system
bundled with high end hardware) or Sun's "Sun Fire" Server (he added,
wondering if the similar "Fire" names were coincidental...) or any of the
other closed-source, proprietary products his company has grown to trust,
based on how much they are used to paying for them.

the strategy very cleverly plays on the long-understood marketing concept
that, when making purchasing decisions, most customers tend to subjectively
value a product based on what they must *pay* for it, more than most other
possibly more objective factors.  and after the purchase, they will tend to
justify and defend their purchasing decision by the same yardstick.  If they
knew Snort was free before purchasing SourceFire, they might think of it as
an overpriced version of a no-cost product, however, *after the sale* if
they learn that Snort is freely available, SourceFire marketing could easily
help them justify their purchasing decision by a) pointing out all the value
added to Snort to create the SourceFire product, and all the well-known
benefits of open-source software, especially the generally accepted
superiority of open source *security* and crypto software, over it's
closed-source counterparts.

i doubt that many potential corporate customers visit MySQL.com, see the
free version, see the identical software with a high-priced non-free
license, and choose the expensive one... other database software development
companies grasp the value of that license and i'm sure buy it, but MySQL's
choice *not* to dual-brand an end-user MySQL dbms product, seems to me to
have prevented them from competing with Oracle, Sybase or even MS Access...

it seems to me that Snort/SourceFire's method might just be *the* way to go
for any FSB, ...which is why i (hope that i just) coined the term "dual
branding" to go hand-in-hand with the traditional FSB business model of
"dual licensing" :-)

-dave