[charcircuit]

Why only a focus on Open Source? I feel like vulnerabilities in closed source products like Microsoft Office, Microsoft Windows, and Google Chrome to name a few can be just as essentially and foundational as other open source software for many businesses.

[dofm]

I think the idea is that automated source code processing is making it possible to find vulnerabilities at great speed and in an overwhelming way in software that does not have paid maintainers, whereas closed source software in active use has both less accessible code and paid maintainers.

A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)

[graemep]

Its a worry, but its too early to be sure what the long term effects will be. We will have many eyes on a lot more code. There might be a rush of reports that slows as all the old vulnerabilities are found.

Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.

[dofm]

> Closed software still has many people with access to the code.

But in the examples cited (and really any other large closed piece of code of any significance in this era) it also has owners with money, and they should be compelled to fix their own stuff.

Or open the source code to be fixed, I guess ;-)

[charcircuit]

>both less accessible code

Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.

>paid maintainers

Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.

[behindsight]

Project Glasswing is already a thing, and the other labs have started their own initiatives too if they want to collaborate and work on securing closed-source software.

Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.

Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.

[dofm]

> that doesn't make security their number 1 priority.

Well perhaps the companies who employ them to make that software they sell for profit should let them do that first rather than tokenmaxxing, and the great big non-profit effort can get round to them to help a little bit later after it has helped secure all the open-source stuff the internet actually runs on.