Recent vulnerabilities like Heartbleed and Shellshock have brought the security practices and track record of open-source projects into the spotlight. A project’s response to security issues has a major impact on how much risk end users are exposed to and how the project is perceived in the technology industry.
We will compare the security practices of key projects such as Linux, Docker, Xen Project, OpenStack and others. We will explore the trade-offs of different security practices, such as community trust, competing stakeholder interests, fairness and media coverage of vulnerabilities. Finally, we will explore the evolution of the Xen Project’s security process over the past 3 years as a case study. We will illustrate the trade-offs, pain points and unexpected issues we have experienced, to help other projects understand the pit-falls in designing robust security processes and help users of open source projects understand how open source projects manage security vulnerabilities.