• See the first half of my second sentence.

>Why would you think that a bunch of people volunteering their time would be more motivated to look for security issues

• So they're not harmed by the vulnerabilities. I'm on a big tech red team. I routinely look for (and report) vulns in open source software that I use - for my own selfish benefit.

>and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?

• Not all of them, that's a fair point. But I'd rather have the ability to look for them in source than need to look for them in assembly.

• Keep in mind that the alternative you're proposing (that proprietary code can be more trustworthy than open source code) is pretty much immediately undermined by the fact that the entities who produce proprietary code are known to actively cooperate and collaborate with the adversary - look no further than PRISM for an example. Microsoft, for instance, didn't reluctantly accept - they were the first ones on board and had fully integrated years before the second service provider to join (yahoo, iirc).

• If you want to start a leaderboard for "most prolific distributor of vulnerable code", let's see how the Linux project stacks up against Adobe and Microsoft. I wouldn't even need to research that one to place a financial bet against "team proprietary".

I don't. I trust that bad actors are less motivated to insert malicious code, and I trust that transparency enforces good practices. All sufficiently complex code has unintended behavior, what matters to me is how you stop third parties from using my device beyond my control.

> and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?

What do you think everyone else does with their no-click exploits? Send them to Santa?

Volunteers can make closed source software, massive corporations and governments can make FOSS.