S3E4: Open Source, Real Business: Lessons from Mozilla and Microsoft with Reese Gifford

On today's episode of Productly Speaking, we're diving into the fascinating world of
open-source product management. Open-source is a software development methodology that
enables global collaboration, allowing anyone to contribute to projects. While building products
from open-source projects can be incredibly rewarding, it also challenges traditional
product management models. Additionally, creating a viable business model around open-source
products or services presents unique difficulties. To explore this topic, I'm thrilled to welcome
Reese Gifford, a principal product manager at Microsoft specializing in Azure Confidential
Computing. Reese brings a wealth of experience, including her role as VP of Product at Mozilla,
where she worked on the open-source Firefox web browser. Reese, it's a pleasure to have
you on the show. Thank you so much, Karl. It's a pleasure to be here.
Tell us a little bit about how you landed the role at Mozilla and what drew you to that spot.
Yeah, absolutely. So I have been in high-tech for a very long time. And over the years,
I've worked in different areas from engineering to product management, but I've always been drawn
to mission-driven technology. How I landed at Mozilla specifically was that I was an independent
consultant and I had a dear friend who asked me to come in and manage the platform engineering team
while there was a person out on maternity leave. And I had said to him, I will absolutely do that,
that I am not going to go full-time. And so three months later, the role of VP of Product opened up
and I went full-time and just kind of fell in love. I really did. I just kind of fell in love
with the people at Mozilla, their mission and everything that they were about. So that's how
I ended up there. Yeah, no, that's very interesting. So you talk about coming in as kind of a contract
role, then you land as VP of Product. What were some of the more interesting learnings that you had
from working on the Firefox web browser and working with those teams?
Yeah, really interesting. I guess kind of the first thing is that across the organization itself,
everybody had some type of understanding of the web browser engineering and functionality. It was just
this baseline thing. And you don't always have that when you're working in a tech company.
Also, Mozilla is a 501c3. So balancing business growth needs with revenue was and is a challenge.
Additionally, and I'll mention this several times, is that the community has a massive influence.
The challenge there, of course, is that decisions have to be driven from a consensus of multiple
stakeholders, including external contributors. Firefox is free, though we had to be very
creative about revenue models. Watching now how open source projects influence mainstream technology
has only reinforced my belief in the power for open collaboration.
So what about being a 501c3, further complicated things on top of just doing open source?
It was interesting because when you are in a publicly driven company or an organization that
isn't a 501c3, I feel like you have somewhat more flexibility to go after revenue in every way that
you can and it's expected. When you're a 501c3 and Mozilla's mission was to have a globally driven
place where people could go and access the internet, you had to really be careful about balancing
community expectations and making sure that as an organization, you were adhering to that mission
of freeness and to openness. And it made it harder when we went to think about different
monetization strategies. The community had backlash. They didn't want that. They wanted
everything to be free. And so for the community itself to pay for things was, it's a hard mental
shift.
Yeah. And you're looking at something like Firefox, which it has an open source community of developers
that work to develop that. But there's also just large communities of users for something
like a web browser. So what types of community interaction did you have? And how did that
potentially impact the role of product?
Yeah, we had a ton of community interaction. In fact, I had a team of product managers dedicated
specifically to managing the community. Their goal was to make sure that we understood that from the
community leaders themselves, what was needed and how we match that with what was going on internally.
The other very challenging part is, of course, you can't prioritize everything.
And so the product team would have to go back and explain to the community when we didn't
prioritize their needs and why we had to do that. So it was a lot of challenges in understanding how to
drive execution, but blending that need to assess the community without having a clear
chain of command.
Yeah, that's interesting because, you know, in traditional product management, you have
stakeholders and you have to address their needs. And here in open source product management, one of
those stakeholders happens to be the community. But this community doesn't necessarily have the
financial buy-in that you would have in a traditional proprietary company, but they bought in with their
work. You know, these are people that have contributed to the code base. They're very driven in the
direction that they're driven in. And so when you had to go against what the community wanted or, you
know, not necessarily implement what the community is thinking, you know, there's a challenge there in
doing that communication. What were some of the methods that those product managers would use to
kind of help smooth that over?
We would have community forums, people who would answer questions that came in on different FAQs on
the website. Our product managers would meet with some of the community leaders. And interestingly,
we hired a lot of the community leaders. And so they actually were able to facilitate that
interaction quite well. Then the challenge, of course, was that when they became Mozilla employees,
then they themselves would sometimes struggle with like, hey, this is what the community wants. These
are the users. And yeah, I get that the business needs this to grow, but we should always do the
communities and the users first.
Yeah, and that's tricky because I mean, yes, there is the code generation from the community. And there's a
lot of great feedback that you're just not going to get otherwise. But it's not necessarily what drives
the revenue in all cases. And when you're a business, you have to at least try and make money,
you know, you're not going to be around much longer. If a business that's supporting a community kind of
falls off, well, then that leaves the community a little bit high and dry. I like the idea that you
hired people from the community to help kind of bring that community perspective in, but also to take the
company's perspective back out to the community and to kind of work that relationship. We speak to, you know,
some of the challenges of deriving revenue and like trying to tell the community that we can't do X because,
well, we need to bring revenue in. When you're talking about open source, we're literally talking
about the Firefox web browser that anybody could go get the source code for. They could learn to
compile the source code and end up with their own binary of the Firefox web browser. It's been since
the days of Netscape Navigator since people have actually even paid for a web browser. So what were
some of the challenges in driving revenue to the Mozilla Foundation with an open source product like
Firefox? Yeah, that's actually a great question. And when I started at Mozilla, their primary revenue
source came from search partnerships. And that includes from their biggest competitor, of course,
Google. And most notably, the deals with search engines, we wanted Firefox to be the default and
also utilize all these external companies' search engines to create our revenue. So it's just this
funny model. Some of the things that we looked to, especially during my tenure, there was a
point of shift from the leadership team to look for additional sources of revenue and to start to
diversify. So we explored new revenue streams by offering privacy-focused paid services such as
Mozilla VPN. I personally advocated for an enterprise service model where we would create a version of a
browser that could be controlled by an enterprise and we would support that. It was interesting that
actually didn't go through because there was this hesitation that that could fundamentally change
community perception and could be a lot of overhead that may not be worth it. The challenge was always
balancing these revenue efforts with Mozilla's mission and ensuring that the monetization
strategies align with user trust and open web principles. GitHub, I think, has navigated this well by
offering their free repository, hosting while monetizing enterprise-tier features with GitHub,
Copilot, and Advanced CICD integrations.
GitHub has definitely done a pretty good job with that. And Firefox and others still have
some difficulty with trying to do this. It's not easy to monetize open source software. And
realistically, you know, paying for software is not something people are going to do in the open
source world. You've got to build services around it. You know, you talk about things like Copilot and
AI. Those are services that make the GitHub software more useful to people actually willing to pay for that
and use that. It's a very difficult thing because in open source, you've got value that you generate that
the community realistically generates for you in the core product. That value is like a lot of times
that's it. And it's like, where's the rest of the value that we're going to charge people for? So you said
you came up with a model of enterprise control. Where did you get some of your ideas for how you would
monetize or potentially monetize the open source product Firefox?
Actually, that's a really great question, because what we did was looked at what some of our
competitors were doing, as well as within the tech market itself, where we saw growth. And at that
point, of course, VPNs were just igniting like fire across the world. And we saw several leaders come
out and believed that with our technology, we could create a superb product that interacted well,
both in the browser and on your mobile device. And we did. It was great. And it's still going today.
Yeah, that's excellent. And yeah, you have to look for some of these avenues where you can make this
value. That's not something that everybody is going to want, or, you know, especially with a
mission like to basically allow anybody in the world to access the internet. That's a lot of what
Firefox does. But if you can find the things kind of around that, that not everybody needs that to be
able to do it, then yeah, you've got a spot where you can potentially monetize. But it's still it's,
it's a big challenge to actually get in there and try and find those spots and not upset the
community because there is definitely a strong open source software equals free motive there.
But I think a lot of people have at least come around to the idea that yes, open source software
is free. But to keep it going, we've got to pay somebody because people have to eat and people have
to have a place to live and all these other things. And without people, this stuff isn't going to keep
going. And that kind of leads me to the next question that I have. And that's, in your opinion,
you know, what are some of the biggest changes you've seen in the open source software world
since you started in it?
Open source has gone from being a niche grassroots movement to the foundation of modern software
development. Major enterprise now embrace it. And we've seen the rise of open source business
models like Red Hat, HashiCorp, and even Microsoft have found ways to build sustainable business
models around open source projects. The rise of AI development tools like
Meta's CodeLama and OpenAI's Codex are really exciting shifts that could redefine how open source
contributions are made. And in particular, I really like OpenAI's model with ChatGPT.
And to your point, you know, we expect open source models to be free. But with ChatGPT,
I think they've done an excellent job of monetizing that when users want to do additional searches or
when users want to use their writing AI. And so there's these different tiers, of course, that they have,
but you get more access and get more creativity based on paying for that. And I feel like that
has met all users' expectations. In that case, they didn't expect that to be free. And it's been
really, I don't want to say easy, but relatively easy for them to move forward with that and build
an amazing user base.
Yeah. And I know that like, since I've started in open source, it was kind of the wild west. Anybody
could have an idea, they could scratch the itch, they could throw code up on the internet,
and people would start contributing. And recently, we've seen governments start to weigh in on like,
open source software should meet the following security standards and to put all these documents
together saying you need to meet these things to be able to be used like by governments. And
government is definitely a large consumer of open source software. So this has also changed the game
where you can't necessarily just scratch that itch and get started and then expect to be used
in all these places.
No. And I think that that is actually some of the biggest challenges that we see with open
source software is security and compliance to government regulations, potentially the introduction
of bugs into the software base, and making sure that things that get added to the open source code
itself aren't redundant. And then again, making sure that the governance and controls that we see
coming, the sovereignty requirements that we are starting to see really grow across Europe and really
all nations, how all of those are met and adhere to with an open source community,
I think are going to be quite unique challenges that we haven't seen before. And then also how
we manage those from a product perspective to actually be compliant, I think are going to be
some really tough, quite honestly, things to do and also really good.
You're probably right, because the community hasn't traditionally wanted to worry about these
types of requirements. And this is where business really does get in and worry about these types of
requirements. And so we kind of see the freewheeling spirit of the community to just build software for the
fun of building software versus business that we've got to do the boring bits, because well,
that's the part that nobody wants to do. So that's what we'll get paid to do. And it is interesting,
because it's one of the challenges of managing products based on open source software. But what
do you think some of the other unique challenges there are in managing those products based on open
source?
I think, you know, some of the other challenges really are traceability. And what I mean by that
is Mozilla itself started out, of course, as open source, which we've talked about. We during my
tenure actually mandated the creation of Firefox accounts. And that actually was met with some
backlash. Because what we wanted to do with the introduction of GDPR was make sure that when code
changes were introduced to the web browser, that we had the ability to go back and contact the person
who had done these, if bugs were introduced, make sure that we could go back and if needed, talk to
that developer contributor for bug resolution. So those types of things, as I said, were met with
friction when we introduced those. And so I think across the board, we're seeing a shift in how it's
managed. With the rise of cloud services, companies are figuring out how to monetize open source
differently, often through hosting services, which we've seen with AWS's managed Elasticsearch and
MongoDB's shift to SSPL licensing. So we're seeing that shift and we're seeing acceptance of that shift
with the introduction of privacy standards and security standards. I think it's here to stay,
but I do think, as I said, I think there's going to be some challenges.
So it's interesting. Firefox accounts was pretty much a response to needing to handle GDPR regulation.
Well, it wasn't just that. It was also we wanted to be able to sync browser sessions from mobile
devices to the desktop. So with Mozilla Monitor, we had introduced a product where we
could monitor any breaches and proactively notify our users of, hey, your email's been breached.
But we wanted all of our products to tie in. So that was one of the drivers for Firefox accounts,
as well as the need to make sure that we had traceability.
Now, that's a fascinating thing because the GDPR, large piece of privacy regulation, championed by a
lot of people in the open source community and certainly by a lot of Europeans. And yet getting an
account that ties you to your browser is, you said you got some pushback, and I'm sure that pushback
was around. But my privacy, you know, this is a potential impact there. And it's really kind
of a unique thing to see privacy regulation drive a thing that may be perceived as kind
of anti-privacy. But it's got to be there to have things like that right to be forgotten and to have
that traceability that you talked about. So that's an interesting one. And that is where, you know,
business and open source, they do have to kind of butt heads a little bit and get to a point of
agreement, which is really kind of fun. I like that story a lot. Open source software is ubiquitous
these days, but it hasn't always been that way. You know, a lot of proprietary software dominated
the 80s and 90s and even into the early 2000s. Do you see open source software continuing to be so
widely adopted? Or do you think that the pendulum may swing back towards proprietary software at some
point?
Well, I definitely think with AI, right, and in particular, chat, GPT, then opening eyes in approach
in general, we're going to see a balance of open source transparency with monetization strategies.
I think with AI, we're going to see contributions where it helps triage issues, suggest code changes,
or even refactor projects. And we've seen this with GitHub Copilot. So yeah, I think it's here to stay.
I do think we're going to see just a shift in general in terms of how it's accepted and the
expectations from end users that we do have to monetize it.
So that is interesting to look at open AI as a possible new type of way of monetizing
open source software and something that we may see more of as we go forward.
Yeah, and I think you just with the apps that we see, if you think about gaming and the expectation
there that if you want to get to new levels, there's monetization. And in general, the world
is driven to monetize those types of things. I think across the world, we've seen that become
more accepted. And I think that will be directly influential to what we see with open source.
So how do you think that open source product management is going to change in the next five years?
There's a lot of different things going on in the world. But if you had to put a crystal ball
and be like, okay, product management, open source projects will look like this in five years.
What does that look like?
I would say that with open source in particular, you're going to see a lot of embracing the
community where users aren't just consumers, they're contributors, they're advocates,
they're stakeholders, and they influence the direction of those products. And we do see that,
as I mentioned before, with applications that you use on your device. There's always methods
to provide feedback. I think that you'll see more strong facilitation skills, that there will be
people who don't always have direct authority. And so influence and community contributions are going
to be key. And I think comprehension of the different business models for open source, where
you and I agree that previously, there was the expectation that it was free. But now we're seeing
that there's always a strategy behind sustainability. And I believe that within product management,
within engineering, within marketing and sales across the board, we're going to see this acceptance
of, okay, yeah, we know that open source was historically free. But now these organizations
who are developing things do need a sustainable way to keep the product working.
Yeah, that'll be interesting to see how that gets adopted. Because I know that in certain
nations and in certain industries, this is already largely accepted that you have to pay for
open source software, even if you know, it is free, quote unquote, that that free isn't truly
monetarily free that you know, there's the need to maintain the software security patching is a big,
big issue that if we don't pay people to do security patches, we could end up with massive
security vulnerabilities that leave us completely unprotected. So we've got to pay for this type of
work to be done. And I think that there's a number of industries and nations that actually
see this and understand this. But there are definitely still industries and nations that
are like, no, it says open source, that's free. That's what it says. And I don't think I should
have to pay for that. It should work perfectly out of the box. I pay for it the wants, maybe.
And then I run it for a while. And then we talk about payment later. And yeah, hopefully you're right
that some of that will start to shift over into that acknowledgement that yeah, we do need to
actually fund these projects. And we need to fund this development, especially as so many people get
good value out of it. Right. And I think when Netscape started, right, which became Firefox,
there was this great, really cool thing where there were so many contributors and it was new technology.
And so the community really did build that browser itself. But now with technology going through another
evolution, right, with AI and the need to support that with constantly analyzing data, it's different.
And so I think perhaps the former contributors are now wanting to be paid themselves for doing
some of this stuff and for helping to contribute to those advances.
Now, that's an interesting point as well. And there's definitely companies out there that are
working to see how do we pay the maintainers of these open source projects, because they're the
ones really kind of keeping the show going. The really big projects, a lot of times you'll have a
company like a Red Hat or a Microsoft who will be paying the maintainers of that project. But there are
still important projects where the maintainers aren't necessarily employed by a big tech company.
And so how do you pay those folks? And that's an interesting avenue as well.
Well, and when you think about AI in particular, they need to grow the back end so that they can
store the reference points and the things that they need to search on to generate responsive
answers. Like that's not even developers. That's just solid infrastructure that will need to continue
to grow as we learn more and more with artificial intelligence and machine learning.
It'll be interesting to see. We've kind of talked into areas of open source and AI,
but what happens when somebody just vibe codes an application using AI and says,
OK, it's open source. That's starting to become a reality.
It is. Yeah, it is. And it's super interesting to watch the world itself come to terms with like,
yeah, this is actually really valuable. This is something that really does help me be more
efficient with a lot of kind of the legacy fear of AI taking over the world. And so watching that
transition as well is fun. And also, I do think lends some credibility to the open source community so
that people can look and see and understand what's going on.
It will be very interesting to see how it all plays out and how things kind of go. Because to that
point about AI and vibe coding, it's like, well, who owns the code? And I think that this is just a
broader question that we have to answer as society is who owns what AI generates.
As it's trained on all this data that comes from all these sources, and then the output is
seemingly original. And that's a hard question to answer is the output original.
That's an ethical dilemma right there. Because it's like, well, it does come from all these things.
But a person who came up with something themselves would also be basing to some degree on what they
had learned as well. So it's kind of hard to draw those lines. But yeah, just the legality of it and
like, OK, is this open source? Is this not open source? Have we breached something somewhere?
And you definitely see some open source projects are like, no, we're not even going to take AI
code contributions. We want to make sure that they were written by people. And it's a wild world.
It really is. Yeah, it's a really wild world. And some of the smartest people I know actually
worked at Mozilla with me. And they wade through that, right? It was there. They continue to do coding.
And they inherently, I feel like when you work for that type of company who has that mission driven
free world, there is part of you that always wants that, right? Like, it's just part of your
personality to just have that love for open source and for community contribution. And also
this need for that we're seeing for sovereignty and for data protection. And like, what does that
mean in terms of the coding base? And how do we balance all of those things to still adhere to
these inherent values that we have while watching everything evolve?
Yeah. And I think that open source is one of those things that kind of helps people
maintain their sense of sovereignty. And it's that way, because if you have open source software,
of course, you can run your own copy of it, you can keep your data within your environment.
And that actually kind of plays into what you do on Azure a little bit. And I didn't expect to go
down this road. But you are the product manager for Azure Confidential Compute, which realistically
helps people accomplish some of those same things.
It does. Yeah, no, it absolutely does. And it's interesting that you drew that parallel,
because I was thinking about this morning, we do allow people to contribute to coding bases. And the data,
of course, is encrypted all the way from coming into our infrastructure from the internet,
while the code is in use, it's encrypted. And then when it leaves, it's encrypted. So it is
completely secure. We do help drive those sovereignty requirements. But it does allow
for different types of contributions in a very, very private way.
And to anybody who's been scared of running in the cloud, because you've been scared you were going
to get hacked, or your data was going to get leaked, things like Azure Confidential Computing
absolutely start to answer this in a very, very real way.
Well, it's so great, because, you know, we watched companies keep all of their data inside,
and everything had to be in their data center. And then, of course, as a world, we recognize the
risks with that and the maintenance costs. So we went to the cloud, and then we saw everybody bring
it right back down because of the risks of security. And of course, now, with like Azure Confidential
Computing and products like that, we're seeing the migration back to the cloud. And with confidence
that the code and really that any data that's put up there will actually be secure, and people have
confidence in those solutions.
Moving back over to the product management side of things, what would be your advice for anyone
considering becoming a product manager for a product based on open source projects?
My advice to someone who is thinking about going into product management, and then particularly
focusing on open source, is remember, there's a healthy balance, right? Remember that in a
traditional organization, there's a very clear chain of command and very clear, if my boss says this,
this is who wins. In open source, yes, of course, there's that chain of command, but it's also
heavily influenced by the community. So there's a different kind of need in terms of picking in user
requirements and making sure that you hear all the voices that are contributing. The other thing is,
remember, if you're wanting to go specifically into open source, the need to communicate back to
internal stakeholders and the external community to help explain why prioritizations are where they
landed for the different roadmaps and development priorities. And then I think lastly, it would be
know that it's harder. I think product management in an open source community is harder because you have
such a more vast stakeholder base that is very, very active in feedback. So even, of course, with private
entities and code that's not open, you get user feedback and you do respond to that. That's
absolutely. In an open source environment, though, they're contributing code. And so there is a feeling of
importance by that community and that contributor base where they have a different expectation than
traditional users. So I say, you know, look at those three things and just be very hyper aware that those are
things that are going to be required in open source type of product management role.
Thank you. And one final question, just to help our audience get to know you a little bit better.
What is one goal that you hope to achieve in the next year?
Oh, my gosh. So professionally, there are a few releases that I want to get out with confidential
computing. There's a couple of customers I want to bring up to speed. And personally, my New Year's
resolution was to take up pottery. So I started doing that. Yeah. So I started doing that. And my goal is to
actually create completely balanced cylindrical objects that have lids that actually fit.
So within a year or two, you'll be selling it at craft festivals.
I don't think we're going to get there. I just wanted to look good and be able to give it as
gifts that don't completely stink.
All right. Well, thank you so much, Reese, for coming on the show. It's been good to have you here.
Oh, it's been my pleasure. Happy anytime, Karl. Thank you so much.