Collective Response to OAuth Vulnerabilities is Model to Emulate
A protocol vulnerability was discovered in OAuth, an open authorization protocol (details here). The developer community kept the news out of the press while they worked on a solution. There some back story about Twitter-bashing for disabling OAuth services but that's another story. The more interesting aspect is the fact that a distributed team of developers collaborated across organizational boundaries to contain the problem. Consider the speed at which this vulnerability was addressed with the speed with which many vendors respond to vulnerabilities.
Marshal Kirkpatrick sums it up this way:
And that's how a decentralized community solved a security threat in an open identity spec, quickly. One company (Twitter) took a risk at implementing a new technology advocated by an employee of another company (Yahoo's Hammer-Lahav), then an engineer at yet another company found the beginning of the security hole, then news of the whole problem was sent out to contacts on a Wiki, an email list was formed, companies donated their employees valuable time to aid in the effort, everyone more or less kept their mouths shut (including the unfairly criticized Twitter) and then everyone worked together to find a solution just in time.
When a colleague or boss presses you to explain how an open source community could provide support comparable to a private vendor, point out this story.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
