The Mathematics of Obscurity: On the Trustworthiness of Open Source

It is more difficult to find errors when source code is secret. More people search for errors when source code is public. These counteracting effects are pivotal to the question whether openness fosters security. Errors in software are found by people with either constructive contribution or exploitation in mind. Focusing exclusively on this discovery aspect, we present a probabilistic model, which allows us to compare the open source and closed source situations. We start out with our assumptions explained using a simple introductory model. We then extend this to what we believe to be an adequate model of a bug-hunting process conducted by multiple competing parties. The model employs an asymmetric race paradigm. One of the surprising results is that even an arbitrarily large group with good intentions cannot safely dominate the evil attackers. Instead, they are limited by a significant upper bound in their winning chances.