Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The vendor claimed that if the code was out it would be a security risk. The agency claims the vendor needs to protect their intellectual property rights. We have (some) visibility into other things our taxes pay for -- the software should absolutely be one -- expecially the regulatory compliance ones that drive enforcement action.

Edit: also, they were breached anyway shortly after launch (2018) and then an email went around offerting to sell the code and data from their entire system.



And it is true: If their code were out, it would be painfully obvious that it is full of vulnerabilities. Security by obscurity!

I know that because I’m myself afraid of making my old app open-source… I wish I had done a bug bounty from day #1.

Bug bounties are a killer tool. I wish some lawyers had made a license like “Not open-source but here’s the source for vulnerability research.”


The government could also require a bug bounty, with a centralized agency investigating reports.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: