[rmetzler]

I also think that open source is better than closed source. Nothing to argue about.

What I was wondering when I read the same sentence you quoted: how many really serious security bugs like Heartbleed, CVE-2008-0166, or the zx drama are happening without people finding out about it and publishing their findings?

[rstuart4133]

In open source there are only two likely outcomes when someone notices a security issue: either they plan to hoard it for their on gain, or the tell the world about it and earn the kudo's. The ability to earn kudo's is a right proper pain in the arse because a lot of things that have little to no impact on security are loudly touted as security bugs and so a lot of time is wasted on triage of non-security issues in open source.

The problem with closed source is there is a third possibility: ignore the problem and save on the cost of fixing it. The responsible disclosure regime we have now is because companies almost always chose this option, ie denied it was a problem and refused to invest to fix it. When the discoverer then released the bug anyway they we so enamoured this this approach tried solving the disclosure problem by suing the researcher.

If you think companies still don't ignore security issues when they are given a choice, you are kidding yourself. The problem compounds because when you do find a bug open source makes it easy to see if you can use it to create a security issue. In proprietary code that's much harder, so I'm 100% certain a fair number of potential security issues don't get patched because it isn't obvious how to exploit them. Nonetheless they are chinks in the armour, so they give the bad guys a excellent set of starting places to start looking.