Reducing the issue backlog

It’s a fact of life that all software has bugs. Open source software is no different. Unlike most proprietary software, however, open source projects can turn to a community to find and fix those bugs. Since OpenSSL put its code on GitHub in 2013, it’s received thousands of GitHub issues. While most issues are bug reports, we also get requests for features, documentation, performance improvements, and refactoring via issues. 

We’re glad to get input from a wide variety of library users because that helps make our software better. For every person who takes the time to let us know about a problem, there must be many others who suffer in silence. Open issue tracking makes open source software better by exposing problems that might otherwise be missed.

For many years OpenSSL flew under the radar since the library just did the job it was designed to do. So when Heartbleed was revealed, it sent a shock to the ecosystem and suddenly more people got involved. With all the attention, OpenSSL started receiving more issues. Eventually the number of incoming issues exceeded the number of issues closed. And that results in a backlog of outstanding issues.

Some issues do take time to resolve. The issue requesting Encrypted Client Hello was open for nearly 7½ years while that complicated feature was implemented. Most issues, however, could have been closed more quickly if there were unlimited developer resources available to triage and address them. 

Letting issues stay open presents several problems for an open source project. It can be discouraging to submit a bug report and not have it addressed. People tend to give up on the process and wander away from the project. Frustratingly, some fraction of those discouraged people could become involved with the project if given encouragement instead. That’s even before considering the lost opportunities from bugs that don’t get fixed and features don’t get implemented.

Since October 2025, the OpenSSL Foundation has been able to cut back the backlog. We started by closing nearly 500 issues. Unfortunately most of those were issues that could no longer be replicated because the people reporting them have wandered off. Other issues are no longer relevant because they were reported for an OpenSSL release that has reached end-of-life. Mass closure events don’t solve the issue backlog.

With an investment from the Sovereign Tech Fund, the Foundation was able to bring on Daniel Kubec and Igor Ustinov to address the backlog in a more sustainable way. We average 2.3 issues opened each day. So just to keep up, we need to close or complete at least that many per day. (An issue is essentially “completed” when a fix is put into the code. Issues are closed if they can’t be reproduced or are not going to be fixed for a variety of reasons.) Not counting the mass closure event in October, the OpenSSL project has cleared 1,188 issues in the past year. That works out to 3.25 issues a day. As long as that rate holds, we’ll be steadily reducing the backlog. 

To avoid adding to the backlog in the future, we also track a Key Performance Indicator (KPI) of current issues resolved minus new issues opened each month. The metric excludes older issues that are identified as part of the issue backlog work funded by the Sovereign Tech Fund. In other words, it only measures the ongoing flow of issues. You can track our progress in recent months on the OpenSSL Issues and PRs statistics dashboard.

As you can see, the KPI has been negative in most recent months which means more issues are being opened than getting closed. That’s despite closing more issues per day so far this year than in the previous year. We are seeing a significant increase in issues opened  largely due to an increase in AI-assisted issues.

Like many open source projects, OpenSSL started noticing vulnerability reports and pull requests from people using ever more sophisticated models. There is a proposed policy for contributors who use AI. While this policy doesn’t address the issue backlog, it’s part of a broad strategy we must develop to adapt to the changing environment. While not as exciting as post-quantum cryptography, reducing the backlog contributes to our mission to build a safer internet and also keeps the OpenSSL community healthy.