re: #19 dog philosopher

ope source projects like ssl hypothetically benefit from extensive peer review - this is often touted as one of the main benefits of open source software

but the review is entirely voluntary and apparently never happened in this particular case

At my previous company we built source-code analysis tools, byte code analysis tools, and runtime analysis tools. We often tested open-source projects as part of our internal QA (not to fix the vulnerabilities, but to ensure our product could find them). We also validated some of the finds by exploiting the code internally. It’s made me a bit paranoid about security flaws, so I did my own audit of our external servers the last two days - found a couple of vulnerabilities, and now our admins are doing full audits, applying patches, and reporting the results.