[leccine]

Well you can do audits for backdoors and malware without having the source code. It is a common misconception in open source communities that you cannot do these without the source. If you check the pro security guys, they do not care about source code too much, it makes exploitation a bit easier but that is it. On the top of that, having the source code does not guarantee that you will find the security bugs either. See OpenBSD weakened crypto.

[schoen]

I think this is something of a continuum from actively hostile to external audit (proprietary EULAs and legal threats; binary code obfuscation) to actively welcoming of it (an open source project like Tor that will give advice to researchers who are studying or reviewing it, or other projects that try to encourage audits in other ways).

I agree that it's much more feasible to read binaries than we tend to think, and that they're intelligible artifacts that many people do make a habit of studying.

[leccine]

Yes there is a continuum and there are great Tor like projects in that sense. Where you end up on that continuum mostly depends on the reviewing process.