[davidfiala]

> tldr; your statement overlooks the reality of businesses with high ethical and financial obligations, like Google, Amazon, and Azure.

- These companies underpin much of the internet's infrastructure.

- Their security practices are far more advanced than typical businesses, with SSH being a heavily restricted last resort. That's not to imply that everyone else shouldn't strive to do meet that (modern) bar too.

- Dedicated teams focus on minimizing access through time-based, role-based, and purpose-based controls.

- They actively develop new security methodologies, often closed-source, but with public evidence of their impact (e.g., https://cloud.google.com/docs/security/production-services-p... ).

- They rarely experience conventional hacks due to reduced blast radius from attacks and insider threats.

- Leading security experts in both major tech companies and niche organizations are driving new strategies and ways to think about security... their focus includes access reduction, resilience, and reliability, regardless of whether the solutions are closed or commercial for them. The ideas spread. (looking at you, Snapchat, for some odd reason)

- This is key: This evolution may not be obvious unless you actively engage with those at the forefront. I think it's what makes people think like the comment above. We cannot see everything.

- It's crucial to recognize that security is a dynamic field... with both open-source and closed-source solutions contributing.

So, the notion that volunteer-led projects are inherently more secure overlooks the significant investments in security made by major corporations that host the internet, and their relative success in doing so. Their advacements are coming to the rest of the world (eventually).

[dijit]

Volunteer led still seems to be more secure, even with a lot of corporate investment.

Rather than corporate lead endeavors which are very hit and miss, mostly miss, especially when the product itself claims security as a core principle.

It might not make sense to you, but the evidence points to this.

[davidfiala]

Couldn't agree more on this one:

> especially when the product itself claims security as a core principle

My thought is that both volunteers and corporations contribute. In different ways, too.

One example is how a YC company made an open source version of Zanzibar. Zanzibar was an open paper to the world from Google that describes a flexible, resilient, fast access control system. It powers 99% of ACLs at Google. It's /damn/ good for the whole world and /damn good/ for developers' sanity and company security.

Corporate endeavors may fail, but they are often intense in direction and can raise the bar in terms of UX and security. Even if it's just a whitepaper, it still cannot be discounted. Besides, the larger places focusing on security aren't getting a big blast radius hack all that often, yeah?

I'm curious though, you've intrigued me. What kind of evidence or just lightweight ideas are you thinking of wrt volunteer led being more secure? No need to dig up sources if it's hard to find, but the general direction of what makes you feel that would be useful.