Wednesday, 13 June 2007

Full disclosure and open source software

The practice of full disclosure in software security is only necessary because of closed-source policies. If software were open-source, the researchers who are now locating and publishing security vulnerabilities can become code participants who locate and fix vulnerabilities. If they don't have the skills to fix the problems, at least they can report them as bugs in the usual open-source way.

Mokalus of Borg

PS - Full disclosure is where security researchers publish found security hole details. PPS - It's a motivation for the software company to fix it.

2 comments:

Pstonie said...

Open source for everything would be better on a humanitarian level, but I'm not convinced security would be improved.

Not all of these researchers are out to do good. I say that because I'm assuming they're human.

Maybe if you hope real hard while riding a unicorn. ;)

John said...

Open source for security would introduce a few problems like rogue malicious editions and malicious patch submissions. I'm not sure anyone has tried it, though I'm sure people have considered it. That should say something about its feasibility (low, if any).

And I love the image of hoping real hard while riding a unicorn. Priceless. :D