PS: I also take issue with the "paid security researcher" remark. Absolutely nothing in either Free or Open Source excludes paid personnel or private companies from the equation. Hobbyist programmers are not the only ones accepted. I don't understand why you see this as extraordinary.
I never meant to imply paid researchers should not work on it. What I meant is:
The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is a safer than closed software. The transparency of the code ensures it’s secure. - Linux Foundation executive director Jim Zemlin
What happened in the case of Heartbleed? The security flaw was found by paying someone to work on the security.
I meant to mock this: The transparency of the code ensures it’s secure., mocking it by noting that nobody cared to look for or fix that bug because OpenSSL was important, because it was widely used, because it was interesting, because it was open source, because it was a puzzle, just for something to do one rainy day. Only when someone was paid to do it did it get done. Therefore the "open source is more secure" claim is a nonsense.
It's more secure because someone was paid to work on it. The claim that "open source did it" is snake oil.
In this case, you're right. I don't know that I would make a general rule out of it, though. Maybe in general open source helps, but in this case (for several reasons, including that OpenSSL seems to be a barely understandable mess, or "written by monkeys" as some put it) it didn't.
I agree that thinking "open source magically makes software better and more secure" is absurd. I also agree that Jim Zemlin's statements (in general, in that article) are more of a PR thing than accurate statements.
I never meant to imply paid researchers should not work on it. What I meant is:
The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is a safer than closed software. The transparency of the code ensures it’s secure. - Linux Foundation executive director Jim Zemlin
http://venturebeat.com/2013/11/26/linux-chief-open-source-is...
What happened in the case of Heartbleed? The security flaw was found by paying someone to work on the security.
I meant to mock this: The transparency of the code ensures it’s secure., mocking it by noting that nobody cared to look for or fix that bug because OpenSSL was important, because it was widely used, because it was interesting, because it was open source, because it was a puzzle, just for something to do one rainy day. Only when someone was paid to do it did it get done. Therefore the "open source is more secure" claim is a nonsense.
It's more secure because someone was paid to work on it. The claim that "open source did it" is snake oil.