Exploring Linux Process Security and Public Vulnerability Disclosure

In his latest entry, Dana asks whether the Linux process is insecure, because it’s not possible to warn the "vendor" before warning the general public about security flaws in Linux. He also notes that "Microsoft has theoretical control of this situation." There are several problems with this line of reasoning. I’m not going to argue that the open source model of development is perfect, but it offers several advantages over the proprietary model. Let’s start with the most obvious.

Yes, if I discover a vulnerability in the Linux kernel — or any other open source project that does development on public lists and completely out in the open — when I reveal the problem on the development mailing list, I reveal it to the public. It’s worth noting that some open source projects, like Mozilla Foundation, have systems that allow developers to file bugs and security issues without disclosing details to the public at large.

The link for this article located at ZDNet is no longer available.