The Atlantic Council (described by
Wikipedia as “an American think tank in the field of international
“) has published a
affairs
lengthy report on the problem of security in open-source software and
what might be done about it.
OSS is really not much different from proprietary software: all
code can be developed more securely, and the security risks OSS
faces are common across most digital systems. For OSS the
differences come in the relationships between open-source
consumers—from government to the private sector to end users—and
the projects they rely on. The lack of clear transactional
relationships and the deeply influential role of the diverse,
ever-changing contributor community are a challenge for policy and
industry to navigate and support sufficiently. The result is an
ecosystem that has both enabled digital innovation and often
suffered from overburdened developers and under-resourced
communities and projects.
Source: LWN.net – The Atlantic Council on open-source policy