Explore open source approaches to application and service security in this conference talk from AppSecEU 2016 in Rome. Delve into Mozilla's open source threat model, bug bounty program, and web services security strategies. Learn about the economics of zero-day bugs, internal communication processes, and web bug intake methods. Examine the challenges of measuring security, including the limitations of quantitative assessments and the epistemological problems associated with security verification. Gain insights into qualitative assessments, maturity models, and the complexities of determining which security approaches are most effective. Discover Mozilla's road map for improving security and the role of red team exercises in enhancing overall security posture.