Do Open Source Eyeballs Really Work?

Share

One of the most contentious areas in computing is whether open source is more or less secure than closed source systems. Open source is open for everyone – including the black hats – to poke around and find the bugs, but it's also open for anyone skilled enough to fix them. Closed source is (theoretically) harder to peek into, but (practically) impossible to fix unless you work for the company that wrote it.

Here's some nice empirical evidence that many eyeballs looking at open source code *do* make a difference:

Mozilla reported more vulnerabilities in its Firefox Web browser last year than Internet Explorer, Safari, and Opera combined, but Mozilla dealt with those flaws quicker than Microsoft, according to a new a report by vulnerability-testing company Secunia.

Firefox had 115 reported flaws in 2008, nearly four times as many as every other popular browser, and nearly twice as many as Microsoft and Apple combined, according to browser vulnerability research (PDF) released this week. In comparison, Microsoft reported 31 flaws in IE, Apple reported 32 in Safari, and Opera reported 30.

However, the report found that Mozilla was quicker to patch Firefox's flaws that were disclosed publicly without vendor notification compared with Microsoft. These "zero day" vulnerability disclosures contain information that can be used by attackers to write exploits for the flaw. The longer it takes vendors to release an update that repairs the vulnerability, the longer users of the browser are at risk.

To be fair, Firefox probably has one of the most active communities looking for and fixing problems, so the research is not necessarily representative of *all* open source projects, but at the very least it suggests that those bulk eyeballs really can indeed make bugs shallow.

"Recommended For You"

Mozilla Firefox 3.6 gets major security fix Opera patches bug, bashes Mozilla