The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.
The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.
(Score: 2) by fyngyrz on Monday December 31 2018, @04:44PM (2 children)
Same with open source. Have you read every line of every bit of open source you've ever used? Even if you have, do you think everyone has? Do you think they all understood what they read? The argument that "it's open, so it's safer" depends on underlying assumptions that are very rarely true.
The option isn't the fact.
Again, extremely rare. Particularly in a community that is biased so strongly against paying for any aspect of software. OTOH, the business who writes closed source software is already paying someone to look into the issues that concern it; and security issues are becoming more important as liabilities stack up against these operations.
Step back for a moment and think about what those interests are:
It appears — to me — that accomplishing the above requires attention to problems.
Now consider the open source authors. Suppose the thing doesn't work right. They're not making any money. They are, presumably, doing something else to make money. So where do their priorities lie?
For instance, take the Rocketchat developer install. [rocket.chat] It straight-up doesn't work. I've had problem reports in to them for months now. No response. I mean no response. Zero. Zip. Nada.
Or, take the Qt [www.qt.io] project, which is interesting because it's both open source and commercial. You'd think that'd give them the best of both worlds, right? Motivation to fix, because they are making some money, and all those eyes helping out.
But no. That project is as buggy as a New York slum apartment. Crashes, serious memory leaks, APIs with holes in them you could drive a big truck [youtube.com] through. It has been since version four. Report bugs, they often don't get fixed. The project is either too large for them to address the problems with the people they have available, or they simply don't care, you decide. But the bottom line is, the thing is broken all over the place. Believe me, I know; I've been using Qt since version 4.6.
Now magnify that times no financial motivation. Ouch.
Still, overall, they fix more than, for instance, the rocketchat people do.
Look. I'm not saying all open source is buggy and non-fixable. It's not. I'm also not saying corporations are the only way to make good software. I'm just saying that one the one hand, there are accountable motivations; and on the other, there aren't. The evidence shows that corporations are not entirely bad at software. It also shows that open source folks are not entirely good at software.
My conclusion is that neither way is optimum, and a fan of either way is really not in a position to cast any stones.
--
Calculus... the agony and dx/dc.
(Score: 1) by khallow on Monday December 31 2018, @06:40PM
Or burying problems so the customer doesn't hear about them. Conflict of interest is a thing.
(Score: 2) by Pav on Tuesday January 01 2019, @12:33AM
Do you work in I.T?
Commercial providers (unless they have a ready fix) ALWAYS DENY a problem is known, or that anyone else is having the same problem... it's INDUSTRY PRACTICE! I've even been gaslighted in this way EVEN WHEN I'd spoken to other customers who had confirmed the problem (and also said they'd been given the same runaround by technical support). Free Software people are easy to deal with in comparison, and if there are no resources to quickly deal with a simple problem one can deal with it oneself.