It is said that there are three subjects you should never discuss at the dinner table; sex, religion and politics. I’d like to add a fourth to that combustible list - open source software.

Open source is one of those subjects journalists treat cautiously, which is probably why a recent report by security company Qualys relating versioning to vulnerabilities in some open source web apps has caused some angst ever since I tackled it for a news story.

The Qualys researchers looked exclusively at open source web apps using a versioning tool called BlindElephant for reasons that had nothing to do with picking on the movement and I reported their findings in good faith. This tool does not scan for vulnerabilities per se, but for versions which might or might not be the subject of known vulnerabilities. It can also be used to scan any web apps.

Qualys is, to be clear, a respected source of vulnerability intelligence, but it turned out that they had slightly mis-assessed several apps. For one app, phpBB, the resulting figures were significantly wrong.

The company has since accepted that an error was made and corrected their white paper with particular attention paid to phpBB 3.x. The story on Techworld was corrected to reflect the amendements. Qualys explains the corrections in its own posting.

Unfortunately, the blogosphere doesn’t always stop and think before it pronounces, and some sources decided that the Qualys research, and my news story covering it, were not only in error factually but showed some kind of anti-open source bias.  

Let’s make clear that I do not believe that this research shows open source to be more or less insecure than closed source/proprietary software, nor does my original Techworld story suggest any such thing. The findings tell us about patching actvity.

My omission was not to have over-communicated the fact that the researcher’s partly negative calculation regarding the patching of one segment of web apps from versioning stats did not imply anything about open source as a whole vis-a-vis rival models of software development.

The issue raised by the Qualys report remains the potential vulnerability in web software encountered by ordinary users caused by poor updating, not the relative merits of one way of coding and licensing it.  

Whatever the merits of a particular software model, it is not the sensitivities of developers that are at stake here but the safety of ordinary web users. On that score there is still a long way to go and tools such as Qualys's BlindElephant could yet be a useful way of making progress.