Updated: Oct 22, 2021
Open-source software projects are, in theory, more secure than closed-source/proprietary software due to the clear disclosure of security vulnerabilities and the potential for source code review.
Can open source software be hacked?
Contributors to open-source projects could also provide a software fix for any vulnerabilities discovered through an audit to integrate the mitigation in a new patch version. Conversely, closed-source software may only be audited by independent third-party security testing on an annual basis, or by internal security teams as part of an organisation's security testing regime.
However, there is no clear answer as to what is more secure and this depends entirely on the developer(s) involved with the project and the approach to security testing and auditing of the software; both by the wider development and security research communities and the vendors of closed-source software.
Open source security vulnerabilities
Previous examples of open-source software vulnerabilities include the Linux kernel itself, amongst other software packages commonly used on a daily basis by countless organisations.
Numerous instances of critical vulnerabilities have been disclosed decades after they were introduced in the source code. The complexity of the Linux kernel, similar to closed-source alternatives, can dissuade regular and even volunteer audits to be performed, which can lead to potential vulnerabilities remaining undiscovered in the public knowledge.
Malicious actors often perform reverse engineering of closed-source and proprietary software to discover vulnerabilities that can be used for nefarious purposes, and similarly, they may audit open-source software code to the same end.
If you like this blog post, find more content in our Glossary.