← Back to Topics

Software Security Vulnerabilities

Discussions focus on the prevalence of exploitable bugs and security holes in software, especially open source projects like OpenSSL and Linux, challenging claims that widespread scrutiny eliminates such issues.

➡️ Stable 0.8x Security
5,188
Comments
20
Years Active
5
Top Authors
#8268
Topic ID

Activity Over Time

2007
3
2008
16
2009
41
2010
67
2011
63
2012
81
2013
251
2014
290
2015
281
2016
326
2017
325
2018
323
2019
352
2020
285
2021
520
2022
393
2023
455
2024
477
2025
581
2026
58

Top Contributors

tptacek (148) pjmlp (39) staticassertion (25) fulafel (24) saagarjha (23)

Keywords

e.g PHP HOLES OP FOSS OSF FSF nist.gov SSL VM vulnerabilities security bugs security vulnerabilities results exploits heartbleed vulnerability inject flaws

Sample Comments

wool_gather Oct 14, 2018 View on HN

Vulnerabilities often arise from implementation bugs, no?

devwastaken Dec 11, 2025 View on HN

the reason we needed CVE is due to the fallacy of “99% are unexploitable”. memory and logic bugs are a time bomb. you dont need 1 big exploit, only a system that is put together poorly enough to have the bugs in the first place.

shreddit Sep 26, 2021 View on HN

This is not about bugs, there will always be bugs. These are security HOLES.

benaadams Sep 15, 2016 View on HN

That's a bit naive... Just two examplesOpenSSL has had 22 vulnerabilities in 2016 so far [1]Linux has has 336 vulnerabilities in 2016 so far [2][1] https://web.nvd.nist.gov/view/vuln/statistics-results?adv_se...[2] <a href

mnw21cam Apr 12, 2023 View on HN

The problem with that is security bugs.

ekianjo Aug 2, 2021 View on HN

its not like there are no security vulnerabilities in FOSS apps either

zeroname Feb 12, 2019 View on HN

That is entirely fallacious reasoning. Your programs could be full of exploitable bugs (and they probably are) yet nobody knows or cares enough to exploit them. OpenSSL had trivial errors unchecked and presumably unexploited for years.

fulafel Feb 7, 2020 View on HN

You mean their consistently bad security track record makes their bugs less suspicious?

tgsovlerkhgsel Oct 7, 2023 View on HN

Some do, some don't and don't consider it a vulnerability when reported.

runjake Oct 26, 2021 View on HN

That seems beside OP's point.They are speaking of the potential bugs and security vulnerabilities all that code might/probably has, given track records.