When a company decides to adopt open source software, their primary focus naturally leans towards the development of features and functionalities they need to drive their business. Security is rarely considered a priority, up until something goes terribly wrong.
In such situations, security measures become more reactive than proactive. And that really shouldn’t be the case.
Unfortunately, not all teams are equipped with enough manpower and resources to focus on security. So could the answer to open source’s burgeoning security issues simply be more funding?
Open Source Bug Bounties
For many, more funding is the answer or at the very least, the first step to it. However the way this is currently being done is drawing some debate. One of the most common steps that many organizations are taking in this direction is offering bug bounties. Bug bounties basically pay off developers to find and resolve security issues– and it’s become a very lucrative business. According to data published on HackerOne’s annual report, a total of around $42 million in bounties was paid in 2018. While most of those who participate in these bug hunts don’t get a whole lot for their efforts, the best can make up to a cool $1 million within a year. Approximately 600 hackers join bounty programs each day, further proof of how financially rewarding it can be.
But while bug bounties may certainly be lucrative, many are questioning its effectiveness in securing open source code.
Where Funding Should Really Go
While bug bounties are good efforts in themselves, many believe that they are not a viable solution to open source vulnerabilities. The prevailing argument is that open source communities are already doing a good job of finding open source vulnerabilities and reporting them. What is needed then, is for the maintainers of open source projects to be supported and funded for their efforts in securing open source software.
Some may be concerned that this approach will only lead to maintainers being overloaded with work, but data shows that this is unlikely to be the case. According to a WhiteSource report, 97% of all reported vulnerabilities have at least one suggested fix available in the open source community, with security updates often published mere days after the publication of a vulnerability. Unknown vulnerabilities for which bug bounties are offered only make up a small percentage of the overall risk to open source components. The majority of these vulnerabilities are actually known, with available fixes that just haven’t been implemented.
So the real problem is not so much finding security issues, but organizations’ management of their open source usage and implementing fixes to already known vulnerabilities. Given this, is funding really the solution? Perhaps in part, but first and foremost organizations and companies must make security a priority rather than an afterthought. We should as a community find smarter, more secure ways of working with open source software, no matter where the funding goes.
nice post