[yaps8]

Well, if you compare the situation where an adversary has access to source code with a situation where they don't - everyting else being the same - , they have higher chance of finding vulnerabilities in the first.

The "security-by-obscurity" point does apply when you compare "going open-source with many observers" to "being closed-source with no one looking", but this is not the case here.

[inetknght]

...now enter fuzz testing and your first statement goes out the window.

[evgen]

Fuzz testing is far, far easier and more complete if you have the source code. It is not required to have the source to fuzz, but white-box fuzzing can be combined with code coverage analysis to make sure you hit all code paths, including ones that would rely upon a more structured sequencing of the inputs. Black-box fuzzing could eventually reach the same end result, but it would take far longer or far more resources.