2014: The Year We Learned How Vulnerable Third-Party Code Libraries Are

jfruh writes Heartbleed, Shellshock, Poodle — all high-profile vulnerabilities in widely used libraries that rocked the software industry in 2014. Sadly, experts are now beginning to believe that these aren't the only bugs lurking out there in widely used open source code, just the ones that grabbed the most attention. It's beginning to look like one of the foundation concepts of open source — that with enough eyes, all bugs are shallow — is a myth. Of course, probably no one believes that all bugs are instantly shallow, no matter how open is the source, or that open source software is immune from bugs -- particularly ESR, coiner of the phrase.

Re:But *are* there enough eyes?

[rapiddescent]

one of the issues is that there are indeed *more eyes* but they are incentivised to look for exploits and sell them to the bug-buyers rather than report or fix them. I did a hands up poll (buyer beware) at our local OWASP chapter and over half had sold a bug to such an organisation. pretty shocking.

certainly, one of the first moderately important bugs I found, I was daft and got in touch with the software vendor and then faced legal action from them which luckily they saw sense and dropped. So many people nowadays just can't be bothered with that problem and can make a fast and low risk buck by selling the 0-day.