I know that this is not a popular view within the computer science and open source communities but: this is our problem, not the vendors'.

We ship open source software used by these vendors with unsafe defaults. We don't default closed or put giant PEOPLE_WILL_DIE_IF_YOU_DO_THIS text on our configuration variables. We ship compilers and languages that don't put safety and buffer overflow protection first. Hell, we don't even systematically regression test (let alone fuzz test) the software that our communities produce.

We ship crap code and we expect downmarket vendors to polish it.

We have to fix the problem; no one else will.

There are glimmers of hope: there's healthy projects like boringssl. There's basic language safety efforts like Rust. There's healthy discourse about handling security better within the Linux kernel community. And if that doesn't work out, there's long-shots efforts like user-mode drivers in Magenta.

The first place that any open source contributor can begin is to hold ourselves to a higher standard:

• write units tests,
• try to find a way to run continuous regression tests on your code,
• think about the security costs of backward-incompatible API changes,
• ask for help fuzz testing binaries,
• and, above all, think about the engineer who will recycle your library under deadline pressure.