Security research isn’t a stranger to controversy. The small community of dedicated niche security teams, independent researchers, and security vendors working on new products finds vulnerabilities in software and occasionally has permission to find and exploit them. This security industry has always had a fraught relationship with the law and the terms of service of the organisations they target, as notoriety is prioritized over legalities. Regardless of the true motives of security researchers, it is difficult to argue that this vulnerability hunting is done with no genuine desire to improve security, in addition to producing a conference talk or two.
To avoid legal threats, many researchers opt to avoid commercial software, products, and applications and instead turn their attention to open source. Open-source teams welcome contributions to improve security, offer transparency through pull requests, and are used throughout the industry. Where closed-source software may respond with a legal threat, open source responds with an enthusiastic thank-you, allowing security researchers to make an impact and talk about their work.
Read the original article: