Ask HN: Is Heartbleed a good argument for using closed source?

1 points by jheriko ↗ HN
We know that websites hosted on e.g. the MS tech stack are basically unaffected by Heartbleed due to their having their own implementation rather than OpenSSL. Even if such a vulnerability exists it is hard to find in source code that isn't publicly available - i'm not sure if thats an argument for or against - or perhaps part of both. The counter of course is that such vulnerabilities are less likely to be discovered (and therefore quickly fixed). Thoughts?

4 comments

[ 3.2 ms ] story [ 22.3 ms ] thread
While I'm a novice, at best, on such issues, I personally believe that the more eyes on the code, the better. A team of developers can't possibly account for any and all mistakes, bugs, etc. The code should be secure enough that allowing people to see it wouldn't undermine its security efforts.
> The code should be secure enough that allowing people to see it wouldn't undermine its security efforts.

That is a good idea IMO. :)

Quite the opposite, as total mentioned. If this had been closed source, we would have not known about the bug, and it likely would have stayed around for a lot longer... until someone wanted to modify that particular part, or do a fresh rewrite from scratch.
sure, i do mention this - but what about the difficulty in finding the vulnerability?