[falcolas]

Like openssl? Rhetorical question; OpenSSL was both open source and broadly used, and it took over two years to identify heartbleed.

Plus. many companies, Microsoft included, open up their source code to partners.

The openness of source code has little correlation to its security.

[ent]

I know it's not quite that simple but isn't OpenSSL exactly an example of how a bug in open source software was found and fixed? Of course it took a while and the software was already extremely widely used at that point but bugs happen and at least it's not just lying around unfixed. I can't remember bugs in closed software getting the same kind of exposure.

[enchiridion]

I'm not sure if heartbleed is a good example here, given that it was basically a new class of exploit.

[missblit]

Wasn't heartbleed a fairly typical buffer overflow?

[swixmix]

the typical buffer overflow would have been caught by OpenBSD's protective malloc.

> [...] OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the protective malloc. [...] So then a bug shows up which leaks the content of memory mishandled by that layer. [...]

https://marc.info/?l=openbsd-misc&m=139698608410938&w=2

[sgillen]

I don’t think the vulnerability was in malloced memory, it was some buffer on the stack. I’ve actually patched OpenSSL to stop heart bleed as an excersice and iirc the fix was in fact just preventing a typical buffer overflow.

[selestify]

Seems like that commenter is also saying that it would’ve been caught as a regular buffer overflow bug?

> OpenSSL is not developed by a responsible team.

[enchiridion]

I've always thought of buffer overflow as writing beyond the intended bounds of the buffer.

Heartbleed is reading beyond the intended bounds remotely. I don't think there were similar attacks before hand, but I could be wrong. I only have a base level knowledge here.

[saagarjha]

Infoleaks are nothing new.