OSS Security

Open-source software is always secure by default

Open-source software can have vulnerabilities that attackers may exploit

Open-source software does not need updates

Security is only necessary for proprietary software

Well-documented code

Outdated dependencies with known vulnerabilities

A small number of contributors

Open communication between contributors

Report it to the project maintainers following the security policy

Publicly disclose it without notifying the maintainers

Ignore it and continue using the project thinking it be fixed later

Delete the project from your system

MIT License

BSD License

GPL (General Public License)

Apache 2.0

Unmanaged security patches in outdated libraries

License violations for using proprietary code

The inability to deploy open-source software on cloud platforms

Open-source software only works with specific programming languages

Limiting the number of contributors to a project

Using obscure, non-standard code to prevent attacks

Regular updates and patching to fix known vulnerabilities

Not sharing the source code with anyone