By Peter Ganten, CEO, Univention
Thanks to the Heartbleed bug a growing number of people in the media claim a precarious situation of Open Source projects leading to problems like Heartbleed. I think this is not only plain wrong, it is a very dangerous position to maintain. Why?
First, bugs and even very dangerous bugs do occur in Open Source Software as well as in very well funded proprietary software from Oracle, Microsoft or Adobe. It is not so much the matter of funding, determining how secure or insecure software is.
Second, responsibility for a software product or other IT related offerings like cloud services lies primarily with the vendor of those products and not with the Open Source projects, which give the software used for the offering away as a gift for free. So, in the case of Heartbleed all the banks and web-shops using OpenSSL, service providers like Google and vendors of software products like Red Hat or Univention have to take care of the security of their offerings. If they are smart, they will typically work with the respective project, of cause.
Third, so many Open Source projects started inside Start-Ups, as student projects or because of the will and imagination of other enthusiasts. Financially the situation of those projects is „precarious“ by definition at least at the very beginning. We need those projects to drive innovation, but we should not expect them to work like commercial vendors of hardened security software from day one. Again, it is in the responsibility of those using the code of these projects to assess their security and support improvement.
And finally we should not forget that Open Source Software enables vendors (and users) not only to assess and review the security features of software, it even allows them to engage and work with others to enhance it. This, of course is the daily routine of Open Source Software vendors.