Recently our company worked with partners and sponsors to create a thoroughly researched, high quality document about the state of security in the open source Drupal project. You can download the report from DrupalSecurityReport.org, but right now I want to talk about the motivations, the audience, and the funding model behind the report because we feel that we've solved a tricky problem: funding expensive work in an easily copied medium (PDF downloads). We decided to try a variation on Techdirt's strategy to "Connect with Fans and give them a Reason to Buy".

This report was something that my colleague Ben Jeavons and I had wanted to do for a long time, but we couldn't fund it entirely from our own company resources. The target audience for the report is people who are considering Drupal and we didn't feel that they would be willing to spend money purchasing the report.

Connect with Fans

Fortunately, we have built up an audience among people interested in Drupal Security. Last fall I did a security webinar for a few hundred folks leveraging Acquia's webinars. Our blogs are directly read by a few thousand people interested in Drupal and are syndicated to over 20,000 readers readers interested in the topic. We've also done several presentations on Drupal security.

So, with a purpose and some fans in tow, we turned to business contacts we've made over the years to see if they could help with funding.

Reason to Sponsor

Based on discussions with them, our sponsors were motivated to sponsor the report based on three major ideas (and one sub-idea).

1. They sell Drupal in the enterprise space and are often confronted with questions about security and don't have a good answer. They wanted something they could point to.
   • They are building a business on Drupal and need something to show to their investors (VC/Angels) when they are asked about security.
2. They are general Drupal service providers and sponsoring the report helps solidify them as leaders in the field.
3. They have benefited from using Drupal over the years and like finding ways to give back.

The first two are pretty clear. The last one is a little harder to sell from a pure business perspective unless you think about it in terms of "building a giant pie of value and then capturing some of that value" which people love to talk about these days.

Success? Indeed

So, has the report been successful? We sure like to think so.

From GVS sites:

• Ben's blog post
• The GVS announcement

Coverage based on our speaking work

• Drupalcon SF Security for Site admins and beginners
• Drupalcon SF Security for coders and themers
• DC Drupal Meetup lightning talk on security
• Drupalcon Copenhagen Security Talk
• Drupalcamp Colorado: Everyone gets scared

From blogs outside GVS

• Panos Kontopoulos - "dedicated to Drupal security and backed up by some of the most active professional services companies involved in Drupal projects."
• Caligan Designs put the security report in their sidebar.
• Duke's Drupal Users included it in a Drupalcon SF trip report
• Drupalcoder bookmarked the report
• Michael Hofmockel includes it in the reasons why he uses Drupal
• Links of last week from the Areeba blog.

On Drupal.org:

• Drupal's getting started guide on security
• It's going to be included on a new, prominent page in the drupal.org redesign
• And I wrote about it in the Groups.Drupal.org's Security Best Practices group

Social Media:

• It's bookmarked on Delicious 34 times
• 41 tweets on the topic according to tweetmeme
• Google's "Update" search is harder to see the number, but shows many as well

Coverage from the Lullabots:

Lullabot is a pillar of the Drupal community. They have done a great job spreading the word about the report: their promotion may seem counter to their interests since they didn't sponsor and at least some of the sponsors are their competitors. However, Lullabot takes a very pragmatic and generous stance about "expanding the entire pie and capturing some of the value."

• Drupal Voices interview with me
• Drupal voices interview with Michael E. Meyers
• Based on referrer logs, we know it's part of Lullabot's Drupal Module Training

Statistics

According to Google Analytics, the site has been accessed by 2,000 people in the first 4 months after launch. According to webserver logs, the report pdf has been downloaded a little over 2,000 times in that same time period.

Word of mouth

We've also had a great response from people directly. Eric Gunderson of Development Seed thanked Ben for writing a white paper that wasn't full of fluff. I recently had a meeting with a government client where they said "We knew you were the right guy to hire when we were all sitting around a table talking about Cracking Drupal, our cybersecurity department handed out printed copies of the Drupal security report, and an outside consultant at the meeting recommended you as a top resource on the topic." We hope that our sponsors have similar stories to tell from their client engagements.

License: Creative Commons Attribution No Derivatives

We licensed the report as Creative Commons Attribution No Derivatives because we felt the full context of the report was necessary to explain the details and because a share-alike license or any other license that allows for modification would allow anyone to distribute it without including the credits for the sponsors. Choosing a Creative Commons license means that the terms are more recognizable than custom terms and it makes it relatively easy for people to understand what they can and can't do. So far we've had one instance where someone reposted the content without credit to the sponsors and without the full context. They took it down after we contacted them and clarified the license.

Is this a sustainable funding model?

So, the report is successful in it's first incarnation: it's valuable to readers, provides good exposure and sales material for our sponsors, and we got the funding we needed to give it the attention it deserves. But is this model sustainable for future versions of the report?

We're not quite to that point yet, but feel that major updates to the report will be appropriate every year or two. At that point, we plan to ask current sponsors whether they would like the renew their sponsorship and also put out a call for new sponsors. We have already received requests to be included in future reports from three companies who were not sponsors of the first round (two of whom we solicited for sponsorship and they turned it down, one organization we forgot to ask). Based on that level of interest alone, the report should survive for at least one more revision.

We created a forum on the site, but so far that's had quite limited attention. Our hope is that we build a community of security-focused readers but there are probably better places for that. Some sponsors wanted to gather e-mail addresses prior to downloading the form, but we were concerned this would reduce the spread of the report and our main goal was to get the report out there. We have also created a newsletter and RSS feed for folks to get updates about the report. Again, this isn't a main place to create a community but we feel it's worth at least some effort.

Connect with Fans + Reason to Sponsor

The idea here is not really revolutionary, but we feel it's an important tweak on the "CWF+RTB" model that is worth considering. It allowed us to create something we wouldn't have been able to otherwise and has created value for all the stakeholders.