alt Hacker NewsI think the idea is that automated source code processing is making it possible to find vulnerabilities at great speed and in an overwhelming way in software that does not have paid maintainers, whereas closed source software in active use has both less accessible code and paid maintainers.
A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)
Replies
>both less accessible code
Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.
>paid maintainers
Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.
Its a worry, but its too early to be sure what the long term effects will be. We will have many eyes on a lot more code. There might be a rush of reports that slows as all the old vulnerabilities are found.
Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.