[ Thanks to LinuxBoy for this link.
]
“If Open Source were the panacea some think it is, then every
security hole described, fixed and announced to the public would
come from people analyzing the source code for security
vulnerabilities, such as the folks at OpenBSD, the Linux Auditing
Project, or the developers or users of the application.”
“But there have been plenty of security vulnerabilities in
Open Source Software that were discovered, not by peer review, but
by black hats. Some security holes aren’t discovered by the good
guys until an attacker’s tools are found on a compromised
site, network traffic captured during an intrusion turns up signs
of the exploit, or knowledge of the bug finally bubbles up from the
underground.”
“Why is this? When the security company Trusted Information
Systems (TIS) began making the source code of their Gauntlet
firewall available to their customers many years ago, they believed
that their clients would check for themselves how secure the
product was. What they found instead was that very few people
outside of TIS ever sent in feedback, bug reports or
vulnerabilities. Nobody, it seems, is reading the source.”