|
Regarding security of NetBSD: "Specifically, the NetBSD source tree is periodically analyzed by two separate code scanners to maintain and improve code quality: Coverity - a commercial code scanner, and Brainy - a private code scanner developed by a NetBSD developer. Several security features are available in NetBSD, including IPsec, a homegrown firewall (NPF), a file integrity system (Veriexec), a kernel authorization framework (kauth(9)), disk encryption (CGD), among others. In terms of exploit mitigations, NetBSD supports a good number of modern features: W^X (in both userland and the kernel), Userland ASLR, Kernel ASLR, SMEP, SMAP, and a variety of other internal kernel bug detection features. Support for these mitigations sometimes depends on the capabilities of the hardware." https://www.netbsd.org/support/security/ |
What I'm less confident (probably because of my ignorance, i'm talking without numbers) is by how many eyes are looking into security issues/bugs. How much time takes a port to be fixed and available to users, compared to other vendors, for example.
Not saying that there is not an excellent work of those involved, but maybe, more mainstream OSs have the two sides: more people working on new attacks, and more people watching for security issues, or paid to work on patching/packaging etc.