[sbarre]

> OSS just gives you an option to "fix it yourself".

I would also say that generally speaking you also get more eyes on your source code so you increase the likelihood that someone will find the flaw more quickly (although you could also say it's easier for bad actors to locate flaws to exploit too).

[raesene9]

I don't think that the many eyes make all bugs shallow style of approach is one people should be relying on for their security. Ever since shellshock (which was present in a very popular open source program for 25 years (1989 -> 2014)) there has been more effort applied to open source libs (e.g. the Internet bug bounty programme) but that's still a vanishingly small percentage of libraries that are being covered.

What I'd say is that given an equal amount of security effort an open source lib is more likely to have higher security, however by far and away the most important factor here is the amount of security effort employed and that is not generally correlated with the software being open source.

[hdhzy]

Well we are comparing apples and oranges here because this small open source repo most certainly have less people looking at it than Intel have engineers working on ME.

[bnb]

Who said this is a small open-source repo? Node.js has one of the most active OSS communities on the web, with many contributors and developers looking at the code, consuming and working on security and fixing bug reports daily.

Also, a single company provides limitations - you've got blinders on, and your project isn't open for those with a different perspective to come in and take a look and notice something. I honestly think that fresh, open, and global perspective is truly key the success of OSS.

[raesene9]

Large communities of open source developers are no panacea, look at shellshock or all the various OpenSSL libs. Those bugs stayed present for years in highly used software...

A large community of devs who are focused on security would indeed be good for a projects security, but that's not always their number one priority.

[hdhzy]

Yes, my point is that we're just throwing anecdotes here, picking examples that suit the augment. It's not proven than one model is better than the other, otherwise we'd all just use the best one and that's all.

> your project isn't open for those with a different perspective to come in and take a look and notice something.

Yes, but consider the fact that a malicious party can also do this kind of analysis. For the record I'm not advocating for closed software, on the contrary, but merely pointing that the matter is more complex than it looks like on the surface.