[konstantinua00]

it was hidden in tests, so it didn't appear if you press "download source" button and build yourself / start crawling through each line of code, iirc

in some sense, exact specifics of the attack were discovered because norm of open source is even more open than the gpl-and-co require

[wolverine876]

So discovering the exploit absolutely depended on FOSS. If the vulnerability was in a Oracle product, nobody outside Oracle would have access to their tests (and publishing the bug would be a legal issue).