It sounds good in theory: the more eyes there are on the code, the less bugs there will be in the future.<p>The reality is that a good percentage of the people using the app will never actually fix or report any bugs (or even look at the source for that matter). There are usually a small amount of people that actually do make changes. If you had 1000 developers making constant updates, the project would be impossible to maintain.<p>Many of the open source apps that I've used in the past don't even have bugs discovered for months or even years after they were in the wild, which tells me that it's not that much more efficient at finding and fixing security issues than a closed-sourced app.
This article oddly doesn't really address the subject of this post. It really argues why open source shouldn't be more insecure, but really gives no argument why it is more secure.<p>I've always found that open sourcing code makes it more likely bugs are found, whether by white or black hats. But due to the asymmetry in the value of security bugs, finding more bugs is actually a bad thing.
I could swear there was a test of opensource vs. closed source bugs over time comparison and what they concluded was were equal in the amount of bugs produced. Open source doesn't create magical code without bugs. What it does seem to create is zealots with a soapbox.