I have justed finished listening to the latest episode of the ChaosRadio radio broadcast. Its always rather interesting stuff they talk about - this time they dealt with the recent insecurity bug discovers, especially heartbleed and goto fail and posing the question how to deal with or rather avoid those dramatic flaws. At first, they repeated the often quoted assumption that a software being open source is less likely to be subject to such insecurity nightmares than closed source software, as the potential amount of people looking at the code vastly outnumbers the amount of people looking at legacy code. They then asked why this obviously does not hold. At least I got the impression that the general reasoning was that closed source is less error-prone. And in here lies the basic problem. I am not proficient enough to elaborate on the techincal vantage point of heartbleed or the like, I am software developper, but not especially focused on encryption or security stuff. But in my humble opinion, there is a problem with this statement. Open source is open meaning everybody can have a look at the code, it might be complicated stuff, and yes, it might not be useful looking at it without spending hours, days or even weeks in really studying it really hard in order to understand how it actually works. It might well be that due to this fact there are not as many or even only few people really capable of correcting possible programming mistakes in complex open source software like OpenSSL. That is not the point. The point is that if OpenSSL was closed source, there would not even be the possibility of looking at the code and understanding whats going on. There might be not a single person external to the developer team looking at open source code, but there is for sure not a single person looking at closed source besides the employees of the manufacturer. Now one can assume that the manufacturer wanting to earn money with its code and thus invest heavily into the quality of the code. This might even be true. But let me tell you, that from my personal experience, this does not hold always, I would even say, this does not hold in the most cases. I saw a bit of legacy code, and the quality was not always but on average, low, and a bit lower. The problem is: Companies want to earn money. They cannot invest vast amounts of working hours without receiving back revenues. This means often enough that software has to be released despite the fact that it is still 'beta' at best. Talk to one of your favourite developers and I assure you every single one can tell you one or more horror stories about buggy unstable software being delivered to customers in the hope that it will hold together long enough until the contract has been paid. The difference in between closed source software like this and open source is that potential security issues ARE less likely to be discovered in legacy code and unlike in open source, if the company does, they will not just announce it publicly, but rather assess whether fixing the bug will pay off or wether it is worth taking the risk. Anyhow, YOU will only be informed if the company decides to. This means, most of the bugs found in legacy code will not even be published, just because the manufacturer is the only one capable of looking at the code and not interested in releasing bugs within their software if they can deal with it secretly. Bear in mind we are talking about bugs being found by code reviews, not by users encountering malfunctions, because in this respect, there is no difference in between open and closed source. In my humble opinion, there are hell a lot of critical bugs within legacy code that never get fixed, or fixed by a regular update without being published. But open source really got one BIG problem: This is, it is practically impossible of disguising bugs like this. You are complaining about bugs being found in open source? Well, think about what open source is all about - making the encounter of bugs easier. We tell you that finding bugs is more likely if more people look at the code and that this is a good way to go because bugs not being found cannot be fixed and then complaining about bugs being ACTUALLY found is quite schizophrene. On the other hand, legacy code actually got ONE big advantage: No matter how nasty bugs hide inside, if in doubt you will never get to know.