

Ask HN: Is Heartbleed a good argument for using closed source? - jheriko

We know that websites hosted on e.g. the MS tech stack are basically unaffected by Heartbleed due to their having their own implementation rather than OpenSSL. Even if such a vulnerability exists it is hard to find in source code that isn&#x27;t publicly available - i&#x27;m not sure if thats an argument for or against - or perhaps part of both. The counter of course is that such vulnerabilities are less likely to be discovered (and therefore quickly fixed). Thoughts?
======
total
While I'm a novice, at best, on such issues, I personally believe that the
more eyes on the code, the better. A team of developers can't possibly account
for any and all mistakes, bugs, etc. The code should be secure enough that
allowing people to see it wouldn't undermine its security efforts.

~~~
jheriko
> The code should be secure enough that allowing people to see it wouldn't
> undermine its security efforts.

That is a good idea IMO. :)

------
LeoSolaris
Quite the opposite, as total mentioned. If this had been closed source, we
would have not known about the bug, and it likely would have stayed around for
a lot longer... until someone wanted to modify that particular part, or do a
fresh rewrite from scratch.

~~~
jheriko
sure, i do mention this - but what about the difficulty in finding the
vulnerability?

