Incentive to hunt for exploits.

One of the shibboleths of Open Source development is that many eyes make shallow bugs. While this makes intuitive sense, one thing that Heartbleed shows us is that something in plain sight can remain unfound if no-one is looking for it.

Finding exploits is not just about being able to look at the source code. It is about the incentive to look for the exploits in the first place. Hunting for exploits is tedious. Although some people perform tedious tasks for altruistic reasons, people generally perform tedious task because they are looking for some sort of reward.

What we’ve learned from Heartbleed is that a bug in a critical piece of infrastructure software remained undetected by altruists for some years. We don’t know how long it took self interested black hats to find the bug. It’s not unreasonable to assume that an exploit of that magnitude would demand a sizable sum on the exploit markets. An exploit of that magnitude would only retain its value if it wasn’t widely known about.

We don’t know whether the NSA or other government agencies that specialize in cybersecurity knew about and were exploiting Heartbleed before the vulnerability was publicly disclosed.

What can guess is that if the people at these agencies didn’t know about the vulnerability before the public disclosure, some of them are going to be having some very uncomfortable meetings held as to *why* when the source code was open they didn’t find such a useful bug soon after the code was committed.

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.


Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×