Vulnerabilities in the code: Why transparency and enterprise licences provide security
Security vulnerabilities can never be completely ruled out in complex software, regardless of whether it is open source or proprietary. However, the decisive factor is how they are handled. Our security team at OpenCloud has discovered a vulnerability in Public Links and rated it CVSS 8.2 (High). A vulnerability that requires immediate action, especially when used in a professional environment.
At a time like this, transparency and speed towards customers and the community count. And this is precisely the strength and DNA of open source software compared to proprietary solutions. This is because in open source projects, information on affected parties, measures and fixes is always publicly traceable; transparency is part of the security culture of open source software and a matter of course.
The current discovery by our security team was handled according to responsible disclosure principles: first coordinated clarification and fix, then publication with patch and clear update notes. This process focuses on the security of users.
Collaboration in the open source ecosystem
Even in a competitive environment, a good collegial exchange between projects is a matter of course in open source projects, as different projects can be based on shared code components. In this case, the collaboration between the maintainer teams involved worked very well: OpenCloud recognised the vulnerability and immediately started to analyse and fix it. At the same time, we informed both the nuclear research centre CERN and the ownCloud supplier Kiteworks (from whose code base the problem originally originated). Where necessary, the security fix was checked together and implemented in such a way that it can be reliably rolled out in the respective codebase. This ensured that all affected parties were able to secure their code and that customer installations, such as the BayernCloud Schule (ByCS), were also secure again thanks to OpenCloud's findings.
Responsibly securing infrastructure with enterprise support
Today's requirements, whether based on KRITIS, NIS2 or "only" from the perspective of responsible IT operations and business continuity, require the software used to be reliably secure at all times. Nowadays, security vulnerabilities are exploited so extensively and automatically that every minute counts.
Open source software leads the way here with transparency and clear disclosure processes. But only enterprise licences with the manufacturers enable secure, confidential communication channels in advance and reliably provide customers with tested patches with sufficient lead time to apply them in a coordinated manner before the security problem is published.
Use the expertise of our security team and secure your own IT operations! Information on licences and support can be found here, our team will also be happy to advise you personally on request.
