How is "open source" more secure than closed source?

I mean yes I know that the code can be reviewed for any vulnerabilities/security issues.
But can’t a malicious actor just decide not do disclose the vulnerability and just hack away?

An example would be the Firefox exploit FBI used on Playpen.

Yes, a malicious actor such as the FBI could not disclose exploits they find, but the idea is with many eyes on a project (especially large projects), other actors such as independent security researchers will also find exploits and report them responsibly. They may even find the same exploits the FBI did so they can be patched quicker.

With closed source applications, massive entities like world governments won’t be deterred because they can either obtain the source code through various means anyways, or they can afford to pay teams of people to find exploits anyways. Whereas on the “good side” there’s very little funding into finding exploits in any bu the largest closed-source applications, like iOS or Windows.

Open-sourcing software simply lowers the bar to finding exploits by making it easier both financially and in terms of time consumed. The quicker exploits are found, the quicker they can be patched and reduced.

7 Likes

That’s all things being equal.

So the genuine advantage of open source should not be equated with a magic wand. Open source programs, or services, can be rotten, and proprietary ones can be private.

Open source is good, provided one does not turn it into a cult.

1 Like

Indeed I’m only referring to large projects. Using an open source project with no eyes on its development is basically the same as using a closed source project for all intents and purposes. Unless you review it yourself. So keep that in mind before you download some shady tool with 2 stars on GitHub.

I often put it this way: Open source is not a guarrantee for security, it is a requirement for security.

7 Likes