Intro

Mike: Hello, and welcome to Open Source Underdogs! I’m your host, Mike Schwartz, Founder of Gluu, and this is episode 69, with Kevin Mueller, Founder and CEO of Passbolt.

Passbolt helps teams securely share secrets, which could be passwords, API credentials or cryptographic keys. It’s one of the few open-source projects in the privileged access management category.

I had the honor of meeting Kevin at FOSDEM in Brussels, although we recorded this episode remotely on Zencastr, auspiciously on the ides of March. So, without further ado, here’s the interview.

Kevin, thank you so much for joining us today on Open Source Underdogs.

Kevin: My pleasure.

Founder Summit

Mike: Before we start the official podcast, I see that Passbolt is one of the sponsors of the Open Source Founder Summit that’s coming May 2024, in Paris. Can you say a couple of words about the event?

Kevin: Yes, absolutely. This is an event that we are co-organizing with Emily Omier. We decided to co-organize this, and basically, to make this event happen. Because we realize that in the open-source world, a lot of funders are not talking to each other. And we basically go through the same hardships, we have the same difficulties, and some of us have some learnings that others don’t. And very unfortunately, and I don’t know for which reason, open-source funders tend to do their own things and not to speak with each other.

So, this would be a fantastic opportunity to put a bunch of open-source funders in the same room and talk very honestly, transparently, without having the need to sell their business ― it is basically open-source funders with open-source funders ― and talk about the hardships they are going through, talk about the problems, the solutions they found, in a very transparent and good atmosphere.

This is the purpose of the event, and I have to say that it’s going quite well. We have already sold all the early-bird tickets, and the event will be happening in May, in Paris. And from where we are, it looks like there will be at least 50 open-source founders in the room so far. So, it’s quite promising.

FOSDEM

Mike: Awesome. So, pivoting back to the podcast, a question for you: did you attend FOSDEM as a student, or as a young person?

Kevin: Yeah! It’s a really good question! I think the first edition of FOSDEM I participated into was ― let me think, in 2000, and I was still a student back then. And I think FOSDEM for me was like Meka of open source, and it was such a privilege to go there. I remember, when I first presented at FOSDEM, we met with the Richard Stallman, Maddog was also there, so, yes, definitely, I started going there as a student.

Origin Story

Mike: How did you go from an attendee of FOSDEM to a founder of an open-source software start-up, and did giving out free swag at FOSDEM this year bring it full circle for you? Or was it more like the “lunatics are running the asylum now”?

Kevin: That means it is very pleasant now to participate at FOSDEM as a founder of an open-source project. I think we went a long way from an open-source enthusiast, when I was a student, to being an open-source founder. Basically, the story is, I’ve always been an open-source enthusiast, not only me, but me and my co-founders.

And my first open-source project was, I think I made it back then when I was 16 or 17 years old. It was a PHP script to browse a file directory but installed as a web app on a server. And it found a bit of adoption back then, I kind of forgot about it. I started my entrepreneurial journey quite early in my life. It happened that, at 23 years old, I stepped in India for an internship. And then, I didn’t leave India for 15 years. And the reason why I didn’t leave is because, when I stepped there, I realized that there is so much potential in that country – everything had to be done.

And I decided to create my first company over there. My first company was a web agency, and we were basically developing web projects or web-related stuff from India, but for French-speaking companies, because I’m French ― you’ve probably figured it out from my accent. And the point that French-speaking companies had with Indian outsourcing is that in India people don’t speak French, and French people are terrible in English. So, even though there was a lot of hype with outsourcing in India, these two could not collaborate with each other. That was the purpose of my company.

And the positioning was quite spot-on because there was A LOT OF French companies, trying to outsource to India at that point, which means that very quickly, we were able to grow the company, and we went from me alone to Remy, which is my current co-founder at Passbolt, who also joined me in this venture, and we grew all the way to around 75 people in the company.

We ran a bunch of other things in India: we created three companies in total. One was also a product company, where we were teaching French online ―very few people know that, but French is actually the first foreign language that is spoken in India, because English is not a foreign language.

We had launched this platform, it became quite successful – we had a few hundred thousand of students that learned French with our platform. And it kind of gave us the taste for building products.

As you can see, none of the things we are doing are related to open source. But when open source came back in the picture for us was actually when we were growing our web agency. Inside the web agency we were developing, we were working with a lot of different customers, a lot of different projects. And one of the pain points that was occurring all the time was the password pain point. So, typically, whenever we are onboarding a new project, the first thing that the customers would do, would be to give us all the passwords and the credentials that we will need in order to do our job.

And most of these guys would send us these passwords by email, or by Slack, or through other channels, which is quite insecure, but to tell you the truth, we are not that much bothered with security ― we are more bothered about the productivity issues that are related to, okay, the password manager is getting those passwords, then he needs to distribute them to the team. How is he going to do that?

So, we tried a lot of things: we tried spreadsheets obviously, we tried emails, then we tried KeePass. And we really loved KeePass because KeePass is a fantastic open-source software. Very simple to install, all our developers had it, it’s considered secure, it has been audited, it is ANSI compliant, and so we loved it for all these reasons. Also, for the fact that you can organize your credentials, and folders, and subfolders, with granularity. So, you can basically follow the same hierarchy, the same structure as your customer project. But where we were very frustrated with KeePass was with the collaboration – we did not want to share the entire KeePass file with the entire team.

Because this gives security problems, but also it is very difficult to have only one file that scales with different people. What happens in practice is like each person will make a copy of the file and start using it independently, and then you end up having 5 or 6 files that have their own life, with the different set of passwords in it, and you don’t have the source of truth any more.

So, Passbolt was built in this context. We wanted a software that has the same properties as KeePass ― basically, that is open source, that is secure, that provides you granularity in a password organization, but on top of that, we wanted a multi-user/collaboration feature.

Actually, the first version of Passbolt was not called Passbolt. It was called absolutely nothing because it was an internal project, and we built it for ourselves, we started using it, and we were really happy with it. So happy that we started sharing it with the customers, partners that were asking for it. And when we realized that a lot of other companies, or people like us, had the same problem, this is when we decided to make a separate project out of it.

And one of the reasons why Passbolt is open-source today is because, very early on, when people were asking us to share the project with them, we were not sharing it― very naturally, we gave them the source code, we explained them how to install it. And after a few months, we started receiving emails from companies who had never heard of us, people in the US, people at the other end of the world, were pinging us for feature requests, or bug reports, and then we realized, “Okay, my God! There is a bunch of traction behind this thing. People are really talking about it. And because we were already sharing the source code, we decided to keep doing it and keep it open source.

Positioning

Mike: So, there’s a lot of password managers out there in the enterprise space, how do you position Passbolt as a product that’s selling to enterprises against all the other options that are out there?

Kevin: I would say this goes back to the origin of Passbolt. The reason why we built Passbolt the way it is, is because we are a technical team. So, the first version of Passbolt as a password manager was basically the password manager for technical teams first. And even today, the way Passbolt is used it is usually adopted by the technical team first. And they adopted it because of three specific aspects of the solution that are really important to us.

The first aspect is collaboration. In Passbolt, you can share passwords very quickly, instantly. With two clicks, you can share one password with one user, or you can share an entire folder with a group of users.  And then, there is inheritance on the permissions management system, and then you can audit also your permissions, you can see if there is something weird happening with the sharing, or password that has been shared that should not be shared ― all this is what I call the collaboration layer of Passbolt, which goes much further than most of the other solutions in the market.

And actually, technical teams enjoy a lot of these aspects, because technical teams are the ones we need to share passwords on a daily basis. And they need to share passwords because they are managing a large number of systems. And it’s not always possible to create one account per user ― actually, it’s almost never the case. You end up sharing the server accounts, or any type of credential you have with other people from your team. And you need to do it fast, and you need to do it securely. So, this is what Passbolt does for you on the collaboration front.

And the two other pillars of Passbolt are basically security and privacy. One of the problems of the existing solutions in the market is that they were initially built for a consumer. If you look at 1Password, if you look at Bitwarden, if you look at many others, including LastPass, the first version of their software was not for team use, or it was not for enterprise use. It was a consumer application, very monolithic ― basically, how can I help end-user open the vault, put this password in it, close it, and then access their credentials when they need it. And they are doing this extremely well.

But then, later on, they realize that, okay, of course there is a market in the price segment. So, a lot of these solutions built their Enterprise layer/collaboration layer as an afterthought. And the result of that is a clunky synergy between the collaboration and the security part of the software. Most of them had to do trade-off on the security. And because Passbolt was built to be enterprise-ready, from the ground up, we could really give it a lot of thought about the security model.

Typically, one thing we decided from the beginning was that the solution should be fully end-to-end. Another thing that we decided was that it is not enough to have just a username and a password to sign in on the solution, to basically authenticate, or to encrypt data ― we decided that no, we need a private key, we need a separate private key on top of the username and the password. And it’s a bit similar to what the crypto ledger’s solutions are doing. Or for example, MetaMask – if you want to connect to MetaMask, you need to have a separate private key that you import in the extension.

We wanted a similar security model, and this is what we did. The security model of Passbolt right now is based on the private key. This is the second pillar. And by the way, this is why we are getting a lot of traction, with a lot of privacy or security conscious organizations, such as national security agencies, or governments – a lot of them are telling us, “Yes, we are choosing Passbolt because you guys are the only ones with this type of security model that is fully aligned with our enterprise requirements.”

And the third pillar of the solution is privacy. Privacy means a lot of things. And I would say open source is included in this privacy pillar. It is the capability the solution gives you as a user, or a customer, to control your data. So, with Passbolt, you can self-host the software yourself, you can download it, install it fairly easily. We have a lot of Linux native installer packages. Basically, you can install it on Debian with apt-get, we are compatible with RedHat, we are compatible with most of the Linux distros there in the market. We are Kubernetes ready, we are providing Helm charts – we make it very easy for you, as a developer, to install it on your server. Then, obviously, the code is open source. So, no need to mention that, but anyone can audit it.

And this is important for a lot of software. But when it comes to cyber security, this is probably where it’s most important. Because it’s not enough to say, “My software is secure.” You want to make sure of it. There is nothing better than open source to prove that, “Yes, your software is secure”, because it’s not only you auditing it ― the entire community is auditing it. That’s how we ensure the privacy pillar of the solution.

Monetization

Mike: What’s the monetization strategy?

Kevin: We have a several type of customers. And I would say, with Passbolt, everything starts from the community ―we have Passbolt CE, as Community Edition, which is, in a way, Freemium, because in open source, it’s not as simple as that. It’s basically your free software that is, free (as in free beer) and free (as in freedom). So, anyone can download Passbolt CE, install it on their server, and start using it. There is absolutely no tracker, we do not ask any questions, we do not know what people are doing with the software ― we just know that they are using it.

So, as of today, on Passbolt Community Edition, we have around 300,000 daily active users. And that’s all we know about them ― we just know their quantity and nothing else. Basically, what’s happening is, because Passbolt is built for collaboration, the people downloading and using Passbolt Community Edition, they are using it at work, not for personal reasons. Because it is not B2C solution, it’s only B2B, only made for teams and businesses.

What’s happening, very organically, is, that once they install it, they start inviting other users, and very quickly, they go from 5, 10, 20, 50, 100. A lot of them will remain at maximum 5 to 10, or 20 for the small teams, and that’s completely fine. But a bunch of them will actually scale their usage. And once they reach 100, 200, 500 users, then their requirements become a bit more sophisticated.

For example, at 500 users, you might want to have SSO in your solution to a Single Sign-On, because it’s a nightmare for all our users. And it will give you support if you do not have an SSO plug-in, or you really want to connect the solution to an active directory, or to any type of directory, in order to make the provisioning easier for your users in your groups. Or maybe, you will have more need for compliance, in which case, you will need to generate more rapport from the solution, or to export your logs.

So, all these features are basically plugins that we are selling in the paid edition of Passbolt: we have two paid editions, we have Passbolt Pro, which is the paid self-hosted version. It is the same thing as Passbolt CE, but with more features, more enterprise features and also Premium support. Basically, they have someone to talk to in the case things go wrong.

And then, we have Passbolt Cloud. Passbolt Cloud is the same as Passbolt Pro, which is basically Passbolt with more features, but designed for people who do not want to do self-hosted. Or maybe, sometimes they have tried to self-host, and they didn’t manage to do it. Then, they’re asking us to do it for them. So, these are two products. The product currently, the paid product that has the most traction for us, is the Pro Edition.

Open Source vs. Commercial Features

Mike: Well, I think you already covered what’s open source and what’s commercial. But what about in terms of looking at your investment in R&D? At some point, you’ll have to invest R&D hours in building open-source features, and then some of that effort also has to go to the commercial plugins. Let’s say, how do you balance in your organization those investment priorities?

Kevin: Absolutely everything in Passbolt is open source. Even when we build an enterprise plugin and an enterprise feature, it is also distributed under an open-source license. And all license is AGPLV3. That’s the license we use for our source code.

For us, it’s like whatever we do is open source ― it’s not even a question. That’s the philosophy behind the product. And then, how do we decide what goes in the Community Edition, or what goes in the paid editions ― well, we follow a very simple mantra.

We know that people using the Community Edition are usually smaller teams. Because larger teams in larger organizations will want to secure the software from a business standpoint. The way we split the features is very simple: what we put in the Community Edition are features that allow smaller teams to gain productivity in their password management. So, obviously, this includes the security aspects, and security is never a trade-off. It’s available in all additions, but productivity is what we are focusing on in the free edition of the software.

Then, for the Enterprise Edition, we are focusing more on compliance and scalability. So, scalability -typically 500 users. I will need more organizational features because of such a large volume of passwords. For example, I need to be able to tag this password in order to add one more dimension.

Scalability is, as I mentioned, I want to plug it to an active directory, I want to do provisioning, I want more logs. So, this is what we provide in the paid edition. And how we decide to split the features ―whenever we have a request coming from the community, or coming from our existing customers, we just all sit together at Passbolt, and we decide on, “Okay, what problem is it actually fixing? Is it productivity, or is it scalability and compliance?” And this is how we do the splits. And we do it very transparently ― all the time, we have a discussion going on with the community, and we announce things beforehand.

How Does Open Source Add to the Business Model?

Mike: It sounds to me, like, open source for you is a distribution mode:  it gets your software shelf space, it gets your product into the hands of organizations that might need it. And then, you’re creating a funnel from that towards enterprise customers. But do you see open-source contributions from developers? Do you guys write all the code? And am I missing something about how you view the importance of open source in the open-source community to the business?

Kevin: Open source is definitely an alignment that we have with all users. And it’s not always the case for open-source projects. For example, if you build an open-source CRM, the fact that your software is open-source, you will probably not talk to the commercial economic buyer at the other end. But in our case, our person has bits on the economic front, or in the free users front, the community front, they’re all technical.

We are speaking on a daily basis with system administrators, DevOps, head of IT, CEOs―these are type of personas that are very sensitive to open source for all sorts of reasons. Because of control, for some of them. For others, it is because this corresponds to the stack that they are using on a daily basis. They’re already on Linux, they’re already using GitLab. And they consider that open source is a bit like a fair trade of software. It has moral values, and they want to go for it.

For some of them, it’s also because of security reasons. Because they consider that when a software is open source, it has some interesting security attributes. I would say that there was a natural alignment for us to make this open source and to bring the open-source values, as part of the marketing message and the value proposition of the software.

Then, in terms of go-to-market, obviously the same dynamic is happening. Because what we see clearly at Passbolt is, most of the search engines related visits, coming to our website, come because of open-source password manager keyword. It happens that there are a lot of companies that have already detected that they need a password manager, so we do not need to tell them ― they understand their need, they understand that they want to centralize, organize, share their passwords, but they have also identified that they want to do it in an open-source way. Hence, they end up on Google and they type open-source password manager. And then, obviously, the offer is fairly limited right now.

There is like Passbolt and Bitwarden. But if you want another price solution, then you are going to look into the specifics of the solution. And in this case, I would say Bitwarden is probably more oriented towards consumer and we are more oriented towards Enterprise and really privacy conscious organization – that’s where they decide for which one where to go.

Pricing

Mike: It’s one thing to know that people really want your product, and it’s another thing to know how much to charge per it. It’s really hard to get pricing right. I’m wondering if you got it right in the early days. And if you didn’t, how did you finally get enough data to get it right?

Kevin: I think no one gets it right from the first time. Our mistake at Passbolt has been like with many other open-source companies: we priced it too low at the beginning. And by the way, I didn’t mention that, but Passbolt was not supposed to be a commercial product from the beginning. When we started working on it with Remy and Cedric, my co-founders, we were comfortable, we had a bit of money to invest in this, and we wanted to have fun building it and really build a great product. But our idea was, let’s build a great product, put it on GitHub and let’s see. And basically, what happens is, once it was on GitHub, we had a bunch of traction – we had a very good traction, a lot of feedback. Organically, some companies started asking us if we had something to sell.

And they were like, “You know, we are ready to pay for this feature because we really need it. Now that we are scaling, we have 100 people on your software, we need more, we need premium support.” So, people started telling us by themselves what they needed in terms of features and in terms of offering. That’s how we went from being completely free to having a paid version.

And we had no clue about like how much we would charge for it. We asked the people that were asking for features. But people are never going to tell you openly, “This is my maximum budget.” So, they will always tell you ballpark figure, but probably on the website. And when we started charging for Passbolt, initially we charged 1 dollar per user per month. And this was fairly low. And to be honest, I think it played against us in the sense that Passbolt was not really perceived as a high-end solution in the security field.

Because price has an influence on how people position the product in their head, how much value they think your software is going to bring to them. So, obviously pricing it too low doesn’t necessarily play in your favor. And I think this is something we see very often in the open-source world. There are a lot of projects that are pricing their solution extremely low because they think they are competing on the price, while, most likely, they have a lot of other attributes to compete on. And this is something we’ve realized quite long after at Passbolt.

From then, we also followed what our competitors were doing. And obviously, we had less features, but probably stronger foundations in our software ― we knew because people would tell us all the time, like they would adopt Passbolt because of the security reasons, because of the security model, because of the collaboration layer. And we knew that they would consider Passbolt to be mature enough for their use.

From there, we decided to iterate constantly on the pricing. Now, once a year, we are basically changing our pricing, increasing it a bit more every year. And we are being quite vocal about it. It means we are informing our customers in advance. We’re having a discussion with them, with the ones who do not necessarily agree. So far, all our price increments have been received quite positively. Some of our customers have even asked us why we waited for so long to increase the pricing, and congratulated us because we did it. I think it’s a very positive signal from them.

Lead Gen?

Mike: It sounds like you’re in a very horizontal market, like the market for customers and organizations that need passwords is, like, everybody, but do you segment the market at all? And other than, let’s say the open-source channel, are you doing any other lead gen in any other segments of the market?

Kevin: No. All our traction and all our customers, as of today, we have around 1,500 customers, the industries where we have the most traction are basically public institutions, universities, and a lot of IT companies or IT teams – this is definitely the biggest sector for us. They all came organically ― we never had to do marketing, we never had to do outbound sales, and we tried it. Because we are a VC funded company, and when you get VCs on board, one of the first thing they tell you is, “Can you scale this thing?”

And it’s very difficult to scale words of mouth, but you can say you can scale your sales organization by adding a bit more outbound sales here, and some more outbound marketing there ― these are all the things we tried. But what we realized on the line is that the cost of acquisition for outbound sales, or outbound marketing, were through the roof, compared to what we can get organically through word of mouth and people who are really happy about the solution.

So, now we’ve completely stopped doing it. We do not do any artificial lead gen, we don’t do any lead gen campaign. The only thing we do is, we focus on building the greatest product we can, making sure community is happy. And what we see in practice is, whenever we deliver a nice feature, a feature that has been a long demanded, or there was a lot of traction in GitHub, immediately it has an effect on the lead generation and people purchasing the solution.

Supporting Old Versions

Mike: Pivoting back to technical question for a second. You mentioned that you have a Community Edition, and one of the challenges we found at Gluu is managing and patching the old software becomes sort of a drag like ― it’s fun to write the new stuff, but nobody wants to patch your version from like six years ago. What’s your policy on how long you’re going to support and continue to patch these older versions of Community Edition? Is it more aggressive, let’s say, than your policy for enterprise customers, with regard to the length of time of support?

Kevin: It becomes a burden, you’re right. But our policy is to make it work as long as possible. So, sometimes we are very surprised, we jump in support calls and realize that some of our customers, or users, have not upgraded their Passbolt for 3 or 4 years, and it keeps working. It’s a bit bumpy, not everything works, but most of it works. So, obviously it doesn’t really incentivize them to upgrade. And you really have to tell them, like, “Look, you should upgrade it, you’re going to get more stability, but also, you are going to get A LOT OF new features.”

And I think this is the main reason at the end why they are doing it. Currently, we don’t have anything built in the software to push people to upgrade to a newer version. And I would say, obviously it gets complicated. It is the way we develop, because then we had reasons to prepare for so many use-cases and so many versions of the API. But it’s a security software. We have to keep it working. It’s our philosophy―we have decided that we’ll do our best to keep supporting all versions of the software no matter how old they are.

We do not do telemetry at Passbolt, which means, we do not know what is in the park of software. We do not know what versions are running out there. So, then it comes to communication. Before we introduce breaking changes, we get very loud about it. We keep sending emails, we keep sending announcements on the community forum. And we pray that everyone has the information at the end and will decide to upgrade.

Is Cloud Better For Customers?

Mike: Is that sort of an argument for people using the cloud service?

Kevin: Well, obviously it’s easier for them, but then it depends on your requirements. If you really want to have something behind your firewall airgap, then you don’t have the choice: you need to go for self-hosted. I mean, what happens in organizations, what we see a lot is, initially, you have a system administrator who knows very well how to do self-hosting. He has everything on track, he’s doing his job, but then, the team changes, the system administrator changes. And then, there is a new guy that comes that does not know how to maintain the software properly. And this is when it gets complicated. Because it’s probably not on his radar, he needs to upgrade the version to a new one, or even that he has anything to do at all.

I mean, this is where we have to be smart at giving the information and be in touch with them, but obviously it’s not always possible. So, yeah, there’s a bit of complexity here.

Future of Passwords and Passkeys

Mike: I think we all agree that passwords aren’t going away for our generations, but killing passwords has become a meme. Does it feel a little bit weird being in a business, where like the common wisdom is you should be killed?

Kevin: Yes. Obviously, it’s not pleasant. We have this joke internally, where sometimes we are comparing ourselves to floppy making companies. A lot of floppy CDs, they all disappeared, but then, you still had a few vendors providing floppy discs because the demand was always there.

I think password is much bigger than that. We don’t think passwords are going anywhere, at least for core audience, the technical teams. Obviously, for non-technical users, that’s what is at stake―removing the passwords. And if I was the CEO of the company, that’s definitely what I would focus on: how can I remove the passwords from everyone.

In any case, at Passbolt, we do not consider this to be a problem. We’ll keep focusing on main use-case of the solution, which is, managing passwords inside technical teams first. And on top of that, our plans at Passbolt are definitely to go towards the passkeys management, and basically, Passbolt is already really good at managing private keys.

Because, as I mentioned earlier, this is core to our security model. That’s what Passbolt knows how to do: we take a private key, we put it in the browser extension, and then from there, we manage authentication and encryption scenarios. If you look at passkeys, it is not far from this principle. It’s almost exactly this principle.

We are already working on features inside Passbolt to help organizations manage passkeys, and we have a lot of customers that are actually waiting for this feature, how to federate their passkeys and add more permission control on top of it.

So, the conclusion: we do not worry about the future without passwords, passwords will keep being there. And for the ones who want to get rid of their passwords, we will have features for them, to implement passkeys and make sure that those passkeys are working properly and rotated when they have to be rotated, and so on.

Closing Advice For Founders

Mike: Kevin, any final advice for software founders who want to use open-source as part of their business model?

Kevin: Talk to your users. It’s really important. I’m saying this because we are advising a few companies, and obviously, we meet with a lot of other open-source funders. And it is very common to see technical founders just being obsessed with coding and technical performance on the platform, to the point where sometimes they forget the value proposition for their users and customers, and I really think it starts from there. We also did the same mistake. I’m not saying that we are better than them, but if I wanted to help an open-source founder save time, then, it would be, talk to your users and understand their use-cases first. Tech comes next.

Mike: And attend the Open Source Founder Summit in Paris, in May of this year.

Kevin: Absolutely.

Closing

Mike: Kevin, thank you so much for joining us today.

Kevin: Thank you, Mike, my pleasure. Thanks for the invitation.

Mike: Thanks to the Passbolt team for all their collaboration. Cool graphics from Kamal Bhattacharjee. Music from Brooke For Free, Chris Zabriskie and Lee Rosevere. If you are wondering why this episode didn’t feature Patrick Bachmann of Open Ocean, tune in next week. I prioritized this episode because I wanted to get in the reminder about the Open Source Founder Summit. Patrick – next week.

So, until next time, thanks for listening.