Don´t blame Heartbleed on Open Source

Apr 24, 2014

By Peter Ganten, CEO, Univention

Thanks to the Heartbleed bug a growing number of people in the media claim a precarious situation of Open Source projects leading to problems like Heartbleed. I think this is not only plain wrong, it is a very dangerous position to maintain. Why?

First, bugs and even very dangerous bugs do occur in Open Source Software as well as in very well funded proprietary software from Oracle, Microsoft or Adobe. It is not so much the matter of funding, determining how secure or insecure software is.

Second, responsibility for a software product or other IT related offerings like cloud services lies primarily with the vendor of those products and not with the Open Source projects, which give the software used for the offering away as a gift for free. So, in the case of Heartbleed all the banks and web-shops using OpenSSL, service providers like Google and vendors of software products like Red Hat or Univention have to take care of the security of their offerings. If they are smart, they will typically work with the respective project, of cause.

Third, so many Open Source projects started inside Start-Ups, as student projects or because of the will and imagination of other enthusiasts. Financially the situation of those projects is „precarious“ by definition at least at the very beginning. We need those projects to drive innovation, but we should not expect them to work like commercial vendors of hardened security software from day one. Again, it is in the responsibility of those using the code of these projects to assess their security and support improvement.

And finally we should not forget that Open Source Software enables vendors (and users) not only to assess and review the security features of software, it even allows them to engage and work with others to enhance it. This, of course is the daily routine of Open Source Software vendors.

About the author

Related Articles

Dovecot Pro and Lua

As 2019 begins, we at Open-Xchange would like to provide you with an update and a few details regarding the latest Dovecot...

Michael Slusarz Feb 14, 2019

From Latin America to the Far East

The summer of TES in 2018 goes all around the planet – and for a project that was born in the heart of Europe, this is a...

Vittorio Bertola Aug 28, 2018

IoT security is not A-OK

Everyone knows that the internet can be a dangerous place. Phishing continues to increase in volume and effectiveness,...

Neil Cook Aug 9, 2018

ID4me – a global open standard for every user’s digital Identity

Many users are tired of remembering hundreds of usernames and passwords. Only a short percentage of users is changing their...

The Editorial Team Jul 25, 2018