Incentive to hunt for exploits.

One of the shibboleths of Open Source development is that many eyes make shallow bugs. While this makes intuitive sense, one thing that Heartbleed shows us is that something in plain sight can remain unfound if no-one is looking for it.

Finding exploits is not just about being able to look at the source code. It is about the incentive to look for the exploits in the first place. Hunting for exploits is tedious. Although some people perform tedious tasks for altruistic reasons, people generally perform tedious task because they are looking for some sort of reward.

What we’ve learned from Heartbleed is that a bug in a critical piece of infrastructure software remained undetected by altruists for some years. We don’t know how long it took self interested black hats to find the bug. It’s not unreasonable to assume that an exploit of that magnitude would demand a sizable sum on the exploit markets. An exploit of that magnitude would only retain its value if it wasn’t widely known about.

We don’t know whether the NSA or other government agencies that specialize in cybersecurity knew about and were exploiting Heartbleed before the vulnerability was publicly disclosed.

What can guess is that if the people at these agencies didn’t know about the vulnerability before the public disclosure, some of them are going to be having some very uncomfortable meetings held as to *why* when the source code was open they didn’t find such a useful bug soon after the code was committed.