The OpenSSL Project: Community Governance Enabling Security & Privacy

Every time you see the padlock icon in your browser bar, that's likely the OpenSSL Library working behind the scenes. This open source cryptography library powers the secure connections that protect your passwords, credit card numbers, and private messages as they travel across the internet. So when this high-stakes technology organisation needs to make decisions, clarity and transparency aren't optional.

"Open, transparent, community-centric," are the first words we hear from Anton Arapov, Operations Director at the OpenSSL Corporation. When Arapov joined the organisation three years ago, it was experiencing competing priorities. While much of the org was focused on championing open source community values, some groups were focused on delivering support for commercial entities like Microsoft, Amazon, and Cisco. This difference created an imbalance of focus.

"In the past, it was difficult," Arapov explains. "We had a mix of people... and this mix of people had a variety of agendas. Some people were more community-focused, others were more commercially focused. You had clashes when answering ...what is important to do today and what is important to do tomorrow?"

Arapov and others found a structural solution to this friction. The OpenSSL Project re-organised into two entities: the Corporation handling commercial activities, and the Foundation managing non-commercial work. While the new structure provided a solution, a fundamental question remained: How do you gather input from the wider ecosystem of people who depend on your software but aren't paying customers or core developers?

The Real User Base

The OpenSSL Project historically communicated with two groups: paying customers on the commercial side, and the developers who engaged via GitHub on the open source side. Arapov and his colleagues suspected there were many more stakeholders: academics researching cryptography, small businesses relying on secure communications, large enterprises with specific stability and predictability needs, operating systems and downstream distributors packaging the software. Just to name a few.

"At a certain point, we had a discussion; how do we reach out to the rest of the community? We have multiple types of users. We have people who are not developers and who are not familiar with the development of developers' tools."

As director of operations and the organisation's informal 'community manager,' Arapov became the voice for finding a solution. He started by researching how other organisations managed community input. He studied open source projects with large user bases. He examined standards' bodies that had successfully achieved consent on technical decisions.

"When I started, I had the bare idea that I needed some kind of a forum which provided voting capability, ideally. Some features which are helpful for management, like community management."

Open source forums provided discussion but no real voting tools. Standards bodies had voting mechanisms but the UX was poorly designed. He kept searching, getting more discouraged. "I was getting to the state where I had a feeling that I will not find anything and I will have to resort to something which is only an ok fit."

The ChatGPT Recommendation

Arapov had formed clear criteria. They needed open source software to align with the OpenSSL Project's values. They wanted the ability to engage via email without requiring platform visits, which was critical for engineers who live in their inboxes. A clean interface without visual noise. Voting capabilities with proper tracking. The ability to see all polls in one place rather than hunting through threads.

"What was extremely important for me as an engineer was the possibility of answering someone using just my email client. So I got notified that something happened, I respond in my email client without needing to go to the platform."

Working with smaller technology vendors mattered too. "It's much easier to reach out to them and it was obvious because our needs are different from pretty much every software I saw. We knew we would need some adaptations and some features which don't exist. The smaller the provider, the easier it is to have this type of communication, to explain things and actually see them implemented."

Another factor weighed heavily. "We have a mission and we're a very transparent, very open organisation. For us, it was absolutely important to have a solution which is also open source. And we were willing to support that kind of solution financially." Aside from walking their talk, open source is so important because it guarantees ownership of their own data and perpetual rights to the software.

Facing a deadline with no clear solution, Arapov tried something unconventional. "I put it all into ChatGPT. ChatGPT gave me Loomio as the first result. Interestingly, by looking elsewhere, I hadn't found Loomio at all. So I was like, what is Loomio?"

Quickly, he signed up for a trial on loomio.com and reached out to Loomio Support, Co-founder and lead developer Rob Guthrie. "I saw OpenSSL come across my inbox, and I thought, oh my goodness," Rob recalls. Arapov then subscribed to the pro version to be able to explore features more deeply.

The self-hosted option sealed the decision. "I wanted to have a self-hosted solution; it is still very important for us to own our data." For an organisation stewarding cryptographic infrastructure that secures global internet traffic, data sovereignty isn't negotiable. The technical community's concerns about security and control made self-hosting essential.

Building Community Structure

The technical deployment was straightforward. Loomio's infrastructure team handled the setup. The harder challenge was designing the community architecture itself. "The difficult thing was to come up with the proper structure of the communities, because it was really important. We have so many of them."

The OpenSSL Project identified six distinct communities: Academics, Large Businesses, Small Businesses, Individuals, Distributions, and Committers. Each community had both commercial and non-commercial interests, which meant twelve communities total across the Corporation and the Foundation.

To grow these communities, they reached out to people they knew historically: those who had tried to contact the OpenSSL Project through mailing lists, or people who had shown involvement over the years. "We told them we have a new place, and we identify you as part of this community. If it seems like a fit, please join the community. And by word of mouth, it started to grow."

To enable changes across communities, they set up a few community elected advisory committees. These committees surfaced community needs and advised the Board of Directors of both the Foundation and the Corporation translating those needs into product roadmap items, changes to governance, and more.

Rethinking the Product Roadmap

"We have a very opinionated set of engineers who think they know what everyone knows, likes, and wants." They had collectively accumulated a long list of features they believed the users needed.

Then, they began asking registered community members what they wanted directly through Loomio. "It was just enough to bring a question up to the place where people can participate. The engineers figured out that the community's opinion was sometimes the exact opposite of what they assumed. The community may think in exactly the opposite way."

The discovery was humbling enough that the OpenSSL Project made a bold choice. "Along with the adoption of our Loomio communities, we reconsidered that long list of proposed features. Those features we had thought it was important to do in the future. We decided to drop that entire old feature list and start from scratch by talking directly to the communities."

Now the change process works bi-directionally. "The aim is for the communities to have input on our decisions. So there are people beyond developers and paying customers who have needs in the OpenSSL Library. They need capabilities, features, whatever software can deliver. The Loomio platform, what we've named OpenSSL Communities, is a place where they can raise their needs, discuss them, and eventually have them considered by the OpenSSL Project representatives and the board. We get real-time feedback on proposed features from the community prior to build."

Communities can raise needs. The OpenSSL Project can propose features before building them. "When we think it's time to do a certain feature, we inform the communities that we are about to do this. And we're going to do it in this way. And we are happy to listen to you. Get feedback on it."

The Delegate Vote

One feature the OpenSSL Project needed didn't exist yet in Loomio. In community groups organized by size, a large enterprise with thousands of employees could easily outvote everyone else. "When you do a consensus poll across groups, we would like to see what different organisations think about a particular topic. So it's very easy for an org which has thousands of employees to outvote a smaller organisation."

They needed each org to have one vote (regardless of how many employees participated.) The solution: identify one delegate per organisation. "So when we do the poll in our groups where we limit the participation to one person from a company or to one voice from the company, we create a poll just for the delegates. And we have representative outcomes from such polls where each company has just one vote."

Rob built the delegate system specifically for the OpenSSL Project's needs. The new feature proved critical during elections for their advisory committees. "We had, particularly in the Large Businesses community, a very contentious election where we had six people vying for one seat. It was obvious that a large company could outvote any other candidate to move their candidate." With delegates, one vote per company, that advantage disappeared.

The system extends to organisations like academic institutions. Different universities have multiple people participating, but for certain decisions, the OpenSSL Project allows only one vote per institution.

Creating Organisational Memory

For a 26-year-old project, historical context matters. "The OpenSSL Library is a very old project. And in the past, we used to make lots of decisions behind closed doors. We left lots of people upset by our decisions."

People would ask why the OpenSSL Project made certain choices. "Sometimes we get a question like, why did you make a decision this way or not another way? We couldn't always point to any one artifact of the past as to why the decision happened."

Loomio creates that artifact. "Loomio is very important for us, not just from the perspective of the input we want to gather, but from the archival perspective." Now people can point to the exact discussion when a decision was made, and why.

The transparency serves another purpose. Many remain skeptical that community input actually matters. "We're still dealing with people in disbelief that this works. One of the things I'm trying to do as much as possible is to give them examples that show the process is working. Users don't believe that they can change something. By making these tiny changes, showcasing users' ability to influence a decision, we can show that it actually works."

He's noticed a positive cycle. "Participation creates more participation." The more content and context they offer, the more community members join. The more visible their decision-making becomes, the easier it gets to prove the concept works.

For a security project where trust and privacy are so fundamental, transparent project governance is essential to their mission. "We're working on cryptography and must be trusted. To be trusted, the only way, or one of the main ways, is to be open."

The In-Person Connection

In October 2025, the OpenSSL Corporation hosted a conference in Prague. They designed it very deliberately. "We decided to do this conference in a way that it was not a sales conference and not just for engineers."

Arapov invited Rob to attend and present on Loomio. "For us, for the OpenSSL Project at the conference, besides connecting with the community and team, it was very important to speak to the public about what we did differently, what we did that was novel. The OpenSSL Community website, based on Loomio software, was very important. So having someone there from Loomio was a tremendous help."

Rob's presence helped in significant ways. "There were some who were skeptical. They didn't understand the decision behind using Loomio. It was really good to be able to talk with them and explain more about the background and intentions for Loomio implementation."

The conference revealed something deeper about community building. "Meeting face-to-face makes such a huge difference," Arapov shares.

"All these people at the conference, I would love to see some or all of them in the OpenSSL Communities, because those who came actually care, and those who care...we need to stay in contact with... They came to the conference because they wanted to connect in person."

Relationships that had formed online through Loomio discussions extended and scaled into the physical world of the conference. Beyond that, more online participation flourished as the OpenSSL Communities: Large Businesses monthly calls created more opportunity for alignment and activation. "It was amazing to see engineers, clients, managers from companies such as Amazon, Microsoft, Hewlett-Packard, Cisco, Juniper, on one call. They don't have another opportunity to be together." The OpenSSL Project's role in convening is making a big difference and increasing participation both online and in person.

Advice for Open Source Projects

When asked what advice he'd offer to other open source organisations, Arapov is direct about a common blind spot. "It's very important that the community of developers is not the only community in an open source project. This is a problem of many open source projects because mostly it is the developers themselves who initiate the community and care deeply about these projects."

"They may think they have a vibrant community, but most of the time it is other developers who are using their software. But there is a much larger group very often who are users."

Finding those other users matters.

"Developer-to-developer interaction is important. But the bigger challenge is finding ways to reach out beyond engineering and connect with users, compliance requirements, enterprise realities, and the broader ecosystem."

For the OpenSSL Project, Loomio became that bridge. It was a way to create community and structure conversations between users who have entirely different needs. "We had some experience. For example, we knew that large businesses and small businesses had very different needs. Small businesses are agile and often use new tools, new things, they can switch and change frequently. For the large organisations, they put consistency and predictability first, and the rest is less important."

Understanding differences like those directly shapes what OpenSSL Library is. It was critical that they invite and involve a diverse array of community perspectives so that their builds reflected real needs.

Looking Forward

The governance of the OpenSSL Project remains minimal by design. "We are not a big organisation, so we have minimal overhead in our decisions." Right now, decision-making at the leadership level is straightforward.

Arapov expects that to change. "We do consider extending our Loomio usage to decision-making from the point of view of tracking and recording. We also think it will be more important in the future when there will be more positions on the board, so more people in discussion, more opinions to collect."

The platform that started as a community engagement tool may evolve into their internal governance system too. For now, it serves a primary purpose: creating channels to communities they never reached before. The OpenSSL Project gives those communities real voice in shaping security and privacy tools that secures global internet traffic.

For a security project nearing its third decade, prioritizing trust and relationships through open decision-making is the foundation everything else depends on.

Tags: