Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: “given enough eyeballs, all bugs are shallow.” This phrase puts the finger on the very principle of open source: the more, the merrier – if the code is easily available for anyone and everyone to fix bugs, it’s pretty safe. But is it? Or is the saying “all bugs are shallow” only true for shallow bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil Wåreus, Head of R&D at Debricked, took it upon himself to look deeper into the community’s performance. As the data scientist he is, he, of course, asked the data: how good is the open source community at finding vulnerabilities in a timely manner?
The thrill of the (vulnerability) hunt
Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws.
On average, it takes over 800 days to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days.
images from Hacker News