Comparative Investigation of Vulnerabilities in Open Source and Proprietary Software: An Exploratory Study

The success of products like Apache and Linux has propelled increased awareness and adoption of open source software (OSS). Despite increased adoption of OSS products, questions about their security and reliability remain. Using four popular OSS and proprietary products as an initial sample, we examine the vulnerability patterns in OSS and proprietary products. Our analysis suggests that for both proprietary and open source products, in general, severe vulnerabilities are identified relatively late in the product’s life and continue to emerge months after the software release. In particular, contrary to expectations, detection of vulnerabilities is no faster in open source (OS) than proprietary products. However, open source products had lower count of vulnerabilities at all levels of severity compared to proprietary products. We propose a conceptual framework to explain the variations in vulnerabilities between the OS and proprietary products. Our insights from the study have implications for research and practice.