…when there is a need for a security patch or other bug fix, the person in control of implementation is…you. With closed source, you need to wait for the enterprise in control to fix the problem and make it available to users. For example, Akamai, one of the best, most sophisticated technology firms on the planet, is still working to address its Heartbleed vulnerabilities. Thus, users have no choice but to wait on Akamai for a complete fix. Open source users can do what they want with the code. They can use a patch that has been made available on Github, or can otherwise modify their code as they see fit. In fact, because Spree is open source and its users control their own code, they can choose to replace OpenSSL altogether if they so desire.