Aaron:

In theory a person could possible find a vunerability, but that is rarely the case. But there are other and more efficentive ways of finding vunerabilitys then just reading the source.

There is also no evidence that a closed source is significently more secure then open source because of the fact that source code is released. In fact many vendors find open source to be more secure then closed course.

Just to give out a point, Linux-based system (which are open source), power about 20% of all servers. Yet it is still reguard as being the most dependable server.

JoelKatz:

Lots of people make the same assumption you do and use it to justify not fixing security flaws. After all, since nobody will find them, they do no harm. But then people do find them. And then they do harm.

I can’t tell you how many times I’ve found a vulnerability in a closed source package and informed the vendor only to have them not fix the problem. They will argue that an exploit is "not practical". I’ve *never* had that issue with an open source project.

Take the renegotiation problem in TLS. The OpenSSL folks had a temporary fix in hours and a new release in a few days. People with open source could fix the bug themselves immediately and deploy fixed code in less than a day. What did closed source vendors do? Some claimed their customers probably had checks elsewhere in the system that made exploiting this vulnerability impractical. Fixes are still not available for many closed source products.

Not having the source doesn’t slow down the people trying to find vulnerabilities very much. But it sure hampers the effort to validate that the design is secure and to fix it if it isn’t.

Want another example? See my link.
"Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19
IE : No fix for IE5,IE6,IE7,IE8 until IE9"

And what happens if the vendor goes out of business or stops supporting the product you use? What do you do then when a security flaw is found?