And isn't it also mostly a transitioning issue. Those open codebases will be constantly scanned for potential security issues and getting more and more hardened.
There are probably a lot of easy wins that are going to be discovered over the next few years but it should taper out after a while.
replyFair point but it assumes we all have access to LLMs with the same capabilities.
replyI don't think that's exactly it. OSS only needs someone to have a strong LLM to check for bugs. If your software is proprietary, it's a competition between just you and whatever model you have vs any attacker and whatever model they can lay hand to.
replyI don't see the difference.
reply> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
deleted
replydisassembly only applies to client side software
replysomething like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
Only until a single server running nginx is hacked and the binary leaked though...
replyUm, the nginx binary would have to be in the hands of hundreds of thousands of server operators. And the set of server operators is rich in the kind of person who would attack it. Not to mention the huge number of leaks you'd get.
replyMaybe if it's some server-side software that you only use yourself...