The code is open – but who is looking at it?

When we have new vulnerabilities in decades old code, it begs the question – if it was open and easily accessible, how come no one saw it until now?

This is one of the fallacies of open source – assuming that simply because code is open and freely available, it is inherently secure because surely someone knowledgeable about programming checked it. And this has been proven wrong time and again over the years. Vulnerabilities like those found on some of curl’s earlier commits, from over 20 years ago, are still being disclosed today, and this is just a pervasive effect of the mindset described before.

The thing is, someone may have been looking alright – and then found the bugs and kept them to themselves. There is a whole underground economy model built around this issue. Vulnerability hoarding is happening today, threat groups actively pursue newly discovered but yet undisclosed vulnerabilities and are ready to pay handsomely for them – in fact, more than most bug bounty programs pay. This makes it especially tricky to eliminate, as the financial motivator is very much present.

This talk will address the impact to the Enterprise Open Source space, how companies can implement security measures in their automation pipelines to mitigate the risk and how the mindset should change – from blind trust to a trust-but-verify approach whenever new open source code and applications are deployed – and how to respond as fast as possible to ensure security and system integrity.

Joao Correia

Joao Correia is a Technical Evangelist at TuxCare with a long background in System Administration, where he learned the intricacies of keeping enterprise stakeholders happy and systems protected. Co-host at the Enterprise Linux Security podcast, where he shares his views on security, open-source and IT best practices, and on the TuxCare blog at, where he covers at length the risks and benefits of open source solutions for secure Enterprise IT operations.