[rwbcxrz]

I suppose the theory is that open source is better (a) because you can audit it if you want to, and (b) it's more likely that someone out there has audited it.

In practice, (a) falls apart if the user doesn't have the knowledge, experience, or time necessary to perform an audit, which is quite likely for security software. And I feel like (b) isn't great either, as there are plenty of examples of major flaws in open source projects that went undetected for long periods - heartbleed is just one example.

[scarface74]

I agree with that assessment, but how many vulnerabilities have been found in closed sourced software? If the software is popular enough, someone somewhere is going to find a vulnerability whether it's open or closed source. Look at all of vulnerabilities that Google has found in closed sourced software. It just takes more skill to find vulnerabilities and incentives. The black hats have found vulnerabilities in iOS that Apple still hasn't managed to patch - like the one that lets law enforcement break into a locked iPhone and bypass the fail login attempts.

[schrodinger]

I think the question is is the likelihood of the party finding the vulnerability being a “good guy” or a “bad guy” different between closed and open source. I’d suspect not, but who knows.

[manicdee]

Stuxnet didn’t rely on open source software.

There are major unrevealed flaws in all software more complicated than “hello, world.”

[x404]

Agree, open source is rights for the users, no matter they have the ability to audit or not.