Open Source as Insurance

by Brent Kirkpatrick

(Date Published: 05/04/2017. Revised: 05/21/2018.)

Open source functions as a form of professional insurance against hacking.

The professional insurance policy for hacking is the pay-it-forward open source model. This is one of the few mechanisms for shared responsibility in cleaning up security breaches. In this scheme, each user is an expert who pays-in to open source by contributing to development. This model is motivated by Turing's discovery that writing a full-featured operating system is undecidable. As such, writing an OS is too big of a task for one programmer, or one company, and it requires community development.

Hacking and computer security challenges are often beyond the ability of one programmer to fix. Recall that program verification is undecidable. Again, we need a community of effort to address security challenges. The shared source and shared development model of open source allows the whole community to work on re-securing the OS after major security challenges. This is a sort of insurance.

Insurance is a scheme of shared liability for unpredictable, costly events. Every customer pays in to insurance against the future possibility that they may need a large pay-out (typically larger than the sum of their contributions). Open source can be viewed as pseudo-insurance scheme. Every individual programmer pays in a tiny fraction of the total code base.

A major security challenge, like a worm, is a shared costly event. Several developers may contribute to finding, analyzing and repairing the crucial vulnerabilities. This is how the open source model spreads the time and cost of creating security patches over the community.

defendIT (TM). AI-driven incident response measures derived from security incident data.

Technical Articles

Securing Open Source
Insecure Open Source
Paying Into Open Source Computing