If anybody is wondering if there’s been academic research about deliberately submitting vulnerabilities into open source - yes.
“On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” was a multi year research study by people at the University of Minnesota where they submitted exploitable vulnerabilities into the Linux kernel.
PDF: https://linuxreviews.org/images/d/d9/OpenSourceInsecurity.pdf
Kevin Beaumont /
npub176…fkwlw
2024-03-30 20:03:14
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwPublished at
2024-03-30 20:03:14Event JSON
{
"id": "516472e2acfa550f6a9313447d6a387c6a718c59fc99da5913aa37de370686bf",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1711828994,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/112186424998201736",
"activitypub"
]
],
"content": "If anybody is wondering if there’s been academic research about deliberately submitting vulnerabilities into open source - yes. \n\n“On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” was a multi year research study by people at the University of Minnesota where they submitted exploitable vulnerabilities into the Linux kernel. \n\nPDF: https://linuxreviews.org/images/d/d9/OpenSourceInsecurity.pdf",
"sig": "b4d7238517d1e1c76457c87916804d2bf752c32f8dff7b6a6094ee9982ee0d5e054b0e93b06fdf8ffdbc523e5d93d00811db39c4f1f106e78304313ca59ae9ee"
}