|
|
|
|
|
|
by emn13
2735 days ago
|
|
|
And most open source projects run a fairly transparent dev process - almost by necessity. Doing something like that as an individual dev might be possible, but hard and likely impossible to do structurally (no guarantee to get it in, no guarantee for the project to be picked next year(s), no guarantee for nobody else to find it first, and upon discovery, risk that your scam becomes apparent). But as a team, the only way to really pull this off involves inserting such vulnerabilities intentionally and out of sight, which means a closed dev process. Even if you orchestrate via some other medium - assuming you're using a VCS, the vulnerability will be publicly traceable to a core contributor - and if you do that regularly, you'll at the become known as a project that's a security nightmare; that might kill the project in the long run. And you might even raise suspicions purely base on the frequency and nature of vulnerabilities. All in all: abusing this sounds like a fairly risky fraud. |
|
|