

Given Enough Money, All Bugs Are Shallow - hashx
http://blog.codinghorror.com/given-enough-money-all-bugs-are-shallow/?

======
upofadown
The bigger moral associated with the heartbleed thing was that you need
hardass gatekeepers for important software. If you allow people to dump crap
into your project then you shouldn't expect anyone to pay attention to it.
There is no way in heck that a cryptography library needed a heatbeat
function. The LibreSSL project isn't about diversity, it's about removing the
crap. Code that doesn't exist can't cause security issues and as a result
doesn't need bug bounties.

The same idea works for standards. If you don't have a way of resisting the
inclusion of requirements in standards then your standard will end up unusable
... and then you _have_ to include all the extra code.

In general money makes it harder to do proper gatekeeping. It is hard to
resist the commercial needs of the people that are paying the bills. These
needs often involve poorly thought out crap.

------
vorg
This post sounds like some advance marketing fluff for a commercial website
facilitating rewards for bugs found in open source software, with the backend
perhaps adapted from the codebase powering the author's Stack Overflow
business.

------
butwhy
"allowed attackers to view all traffic to these websites, unencrypted... for
two years" \- but you needed access to the network or some intermediary node,
right?

