The sendmail and Snort security bugs exposed last week brought front and center the unique challenges inherent in producing and applying patches to open source software.

The bottom line, experts say, is that corporate users should be aware that open source patches can be produced quickly but won't necessarily come from a trusted source. Also, it is difficult to track software that might need a patch.

"With open source you really have a double-edged sword," says Dan Ingevaldson, the team leader of X-Force Research and Development at Internet Security Systems, which discovered the sendmail bug. "It's very open but there is no single point of contact where there is a list of enterprise customers using the code."

That could foster a disconnect between code developers and users not plugged into mailing lists.

The issue was raised last week with Sendmail, Inc., and SourceFire, which employ creators of popular open source software but also sell commercial versions of the code.

In the sendmail case, code creator Eric Allman was notified of the bug and then he informed companies such as HP, IBM and Sun that he knew had the 15-year-old open source code in their commercial products. Those vendors then developed patches for their own customers.

Click to see:

But Allman says, "on the open source side, you don't always know who picked up the software. You can get the big companies, but for all the others you just announce the problem in the appropriate places."

The open source world includes mailing lists and Web sites such as sendmail.org and SecurityFocus Bugtraq.

On the closed source side, a central point of contact, say Microsoft, becomes the flash point for OEMs and other known licensees of products. But the criticism against closed source vendors is that often they don't respond quickly or at all until hackers release exploit code.