Similar behaviors likely exists in OSS they are just called different things.
For example, ACME Co uses open source project XYZ. Acme Co uses resources to make sure that XYZ is secure and bug free. Acme Co is then incentivized to contribute any changes they have found, because they would like to stay in sync with the master branch of XYZ so they can get any updates the community pushes.
In the case of OSS, the pool of resources is likely far bigger than with closed source software.
Well, the kernel, right? Many many major corporate contributors. Kind of the opposite of OpenSSL, I guess, which everyone uses and no one seems to maintain.
On the other side, e.g. Egor Homakov hacked GitHub a few times through vulnerabilities in Rails. GitHub paid him bounties anyway. I'm no expert, but it appears to me that at times it does work, just not always.
Well I think the source code is included (since it's Ruby, but encrypted) with the Github Enterprise image. But that's "source code available", not "open source" (ie, under a copyleft license)
> But that's "source code available", not "open source" (ie, under a copyleft license)
It's proprietary. Also, there are many free software (or "open source" if you prefer) licenses that are not copyleft. MIT, Apache, Revised BSD, zlib, etc are all examples.
You say that like Heartbleed was the end of the story. Since then, "the Linux Foundation launched the Core Infrastructure Initiative (CII) as a way of getting resources to those projects. That has helped OpenSSL, among others, to get back into a healthy state." which includes a ton of funding from many companies that depend on OpenSSL like AWS, Google, Intel, Microsoft.
For example, ACME Co uses open source project XYZ. Acme Co uses resources to make sure that XYZ is secure and bug free. Acme Co is then incentivized to contribute any changes they have found, because they would like to stay in sync with the master branch of XYZ so they can get any updates the community pushes.
In the case of OSS, the pool of resources is likely far bigger than with closed source software.