It has been reported that security researchers have uncovered multiple XSS vulnerabilities in TAO, an open source assessment platform. Researchers discovered the ‘medium’ severity vulnerabilities after examining the community edition of TAO, an employee training and assessment tool.
People select open source solutions for a variety of reasons, but for many the allure of a free tool that’s related to a commercial offering is strong. Within open communities, commercial versions of software are often related to open source versions as either an “open core” or “upstream” model. In an open code paradigm, core code for the commercial version is created following open source paradigms, but “enterprise” features are then attached to that core to create the enterprise offering. The upstream model differs slightly in that functional differences tend to be fewer, but additional testing and support processes are used to define a “qualified release”. Either way, the code for the commercial version is derived from that of its open source roots which typically means that the open source code is just as secure as that of the commercial offering. From the SEC Consult report, it appears that TAO Testing views including security fixes within the value customers obtain from purchase of a commercial license. This is a perfect example of why I recommend that consumers of open source solutions directly engage with the communities that are creating their software – you get to learn the security standards employed by that community. In the case of TAO, the lack of README instructions for how to build the software and how to contribute to the project are indications that TAO Testing is primarily publishing their source code, not creating an open source community. Consumers and users of the TAO Community Edition should reach out to TAO Security to clarify expectations for timely security updates and how they expect open source community engagement to occur.