[graceful6800]

There are actually three states:

- A bug exists and nobody knows

- A bug exists and some people know

- A bug exists and everyone knows

As an outside observer, there is no way for you to determine if a bug is in state one or two, you only know once it's in the third state.

Which is the entire problem here. Having the bug be known to everyone is a vastly improved state over being known to a few. Yes, the bug being completely unknown is better than being known to a few, but there is no way to ever know if that's the case.

From the outside, known to none and known to a few are indistinguishable, and thus both states are the worst possible case. The only remedy is to make the bug known to everyone such that it cannot be covertly exploited.

[psychoslave]

That's not the whole picture though. Bugs exist anyway. The only practical concern is, which are practically most likely going to be used among all these bugs that yes exist and included in production.

[graceful6800]

You've described states one and two as outlined above.

Whether a bug is exploitable is an entirely separate category of unknowable, because seemingly-innocuous bugs quite often have very deep and very subtle implications that when combined with another innocuous bug, result in an RCE or PE.

Therefore, it's sensible to treat all bugs as potential threat vectors unless and until proven otherwise. Which brings us full circle: state 3, all bugs being public, is probably the safest thing because nobody can know if a bug is in state 1 or 2.

[psychoslave]

It's sensible just as it's sensible to have invulnerable immune system.

Sure, who wouldn't like to have that? Such a thing is impossible to reach starting with the same reason as Gödel's incompleteness theorem is a thing, plus a gazillion of more practical constraints.