>>13523772I work in cybersecurity, application security (AppSec) to be exact. Open source is full of security vulnerabilities. The meme that everyone being able to see code will mean that defects will be found and fixed is just that, a meme. What's worse is that even after vulnerabilities are discovered, it is difficult to find anyone to fix them.
Remediating security bugs is boring tedious work. Most people who volunteer for open source projects want to work on new features. If they work on defects, they want them to be highly visible defects. Remediating a vulnerability in a random text parsing library so that XML entities can't be used to trick some process into seeing an escape sequence that allows of the execution of arbitrary code isn't sexy or interesting. So it gets marked as a low priority and never gets fixed unless there's a high profile exploit of the vulnerability.
None of this means that closed source is free of vulnerabilities or even if better than open source. It just means that they're both chock full of vulnerabilities so don't think simply making something open source makes the defects go away because it doesn't.
