Is it possible for the developer of an open-source software to hide a backdoor without getting caught?
Obviously open-source is superior to close-source when it comes to transparency, also I am aware of the fact that open-source does not necessarily means 0-day-free (if there is such software) but has it ever happened to discover a backdoor in an open-source software?
Backdoors in open-source software where discovered, yes.
Generally speaking open-source does not automatically mean the software is secure or free of bugs. Just remember Heartbleed in OpenSSL.
One of the main problems is that everyone could take a look on the source but often no one actually does thinking someone else surely did it before. So it is possible that there are bugs or backdoors for a very long time hidden in some project.
Another Problem may be the complexity of some projects, it is just not possible for a single person to look at the source and know it is safe or not - you would need a long time to accomplish this just see the security audit of TrueCrypt for example.
In this context a main problem of open-source is that everyone can modify the code and share his own programm. There are many cases of this, manipulated versions of big open-source programms like Firefox, PhpMyAdmin etc. The normal PC-user won't ever notice that there is something wrong but he is happily using a big backdoor.
So open source may be a little bit more secure because in theory everyone could check the code but in practice bugs or backdoors may be undiscovered for a long time. And please don't get me wrong, I'm a big fan of open-source software but I am aware of the risks and so should anybody else.
Yes it is possible. Open-source software is only as secure as the procedures followed to review and audit the code.
You cannot assume that because a software package is open-source that somebody actually bothered to review the code. When you open-source software you merely afford the opportunity for the code to be reviewed by your peers or some other body but you there is no guarantee that it will actually happen. TrueCrypt and OpenSSL (Heartbleed) are prime examples where an audit/review of the code was only commissioned after some controversy or exploits exploded surrounding it.
The problem is also that due to the informal nature of the open-source community, there is no "This has been peer reviewed" badge or certification on an open-source package. Usually the first indication of a project having been closely scrutinized, would be a report on vulnerabilities or backdoors. Depending on your level of paranoia, it would make sense to not implicitly trust open-source software but to rather decide on your level of trust after some research on it.
Another problem could be the "I assume someone else did it so why should I?" issue. If there is no formal review and everybody thinks someone else did it then nobody will end up doing it. This means that open-source software is trusted by many based on the incorrect assumption that "some other smart people" surely looked at it.
The reasons above, among others, are what lead to creation of The Linux Foundation Core Infrastructure Initiative.
First of all open source software can be viewed inside out and checked for backdoors so the "not get caught" aspect falls apart instantly. And as @schroeder said, bugs and errors can create insecurities but that is not intentional and hence not exactly a backdoor.
it can be untrusted, yes, but the other alternative, the "close-source", the proprietary, is in fact non-trusted. Now you decided with you professional secrets, your industrial projects, to left them in proprietary hands and their "spy government friends" or let them to open source software that was, and is, reviewed an audited by programmers from all the world.
Excuse me my bad english
