it’s not intrinsically safe, nor is it necessarily considered safer than closed source. it’s not less safe though. the openness of the source code really has no guaranteed or straightforward impact on whether it’s safe or whether it functions as intended. the openness clearly has some sort of effect though, for a couple reasons.

1) the fact that the source code is human-readable means that anyone can potentially discover a vulnerability or an attack built into the code. this is sort of the opposite of the concept of security through obscurity, since a good target for an attacker will also be a popular subject of community contribution and discussion, setting up an emergent “warning system.” which plays into…

2) this fact also means that attackers don’t need to do as much work reverse-engineering or testing the software to find a vulnerability. so we’re kind of talking about an arms race here. attackers have more access but so do contributors and users. the rate of development might be accelerated, or at least development might be broken down into smaller, more frequent discreet updates. (e.g. fast release cycles resulting from frequent pushes) that used to be pretty apparent i think, but over the last 10 years or so it seems like major proprietary software developers are assimilating more and more of the techniques and culture of the OSS community. for example, i think the centralization of version control systems like git and mercurial has contributed to the convergence of these models. plus the constant improvement of the internet is allowing companies like adobe to ship updates like… i don’t know, 100 times more often than they did in 2002? anyway…

3) if you can personally read the code or you’re in close communication with people who can, then the benefits of OSS might be greater for you than for the average person. in theory it benefits everyone, but like i said in #2, proprietary developers are constantly growing and accelerating their development schedules. so the main benefit to the average person would just be that someone else may catch a problem before the developers and before a would-be attacker, and that this gets resolved as a consequence. but for the community who are intimately engaged with the development, or can at least read the source code, the chances of avoiding an attack or a breach of privacy are obviously going to be much greater.

4) like others have said, it’s not exactly true that some anonymous stranger can just change open-source software. open source simply means that the source code is publicly available. the person(s) who made it still own and control their repository, website, and any other distribution channels they might have. they might include a checksum so users can ensure the compiled binary you downloaded is the real deal. basically anyone can view the source, (likely) compile it, and upload it to the internet, but not just anyone can actually get people to download and run it. they would need to exploit some underlying vulnerability, e.g. hacking the real developer, stealing their identity, social engineering, etc. and although that’s all possible with OSS, it could just as easily happen to a proprietary software company (and has happened many times) so it wouldn’t factor into my comparison.

there are a lot of other factors to consider too. there’s an economic angle to this, for example. it might be easier for an attacker to tack some malicious behavior onto an open-source project, but open source projects may have less market share and make for overall less appealing targets. the companies with the most customers largely do not share their source code, and apparently that doesn’t deter bad actors from trying to reverse-engineer the code.

but the way i see it, we’re talking more about fundamentals here than about the real state of computing and info tech today. if we’re trying to evaluate the overall safety of these things, it’s difficult because most attacks aren’t simple exploits of the source code of a project that’s either open or closed. traditional viruses still exist, but the really variable factor is the vector, and from what i’ve read on sites like trendmicro, nowadays the vector for most non-targeted attacks is the web. there are still groups that attack corporations or governments with highly specific attacks but since you’re not a corporation or a government, you don’t have to worry much about that. more likely is that they attack a company which serves you and possesses your private data, a company which probably has an enormous combination of open and closed source dependencies.

in any case the stuff that’s most likely to attack you in the wild is going to exploit a vulnerability in something on the web. most likely is a vulnerability in one of the modules that a website you use depends on, and these are almost exclusively open-source. however, that’s not really relevant to the comparison either, because there isn’t much choice in the matter. most web languages are interpreted, not compiled, and although there are methods of obfuscating code and all sorts of tools to package or transpile or otherwise deviate from the source code, it’s still much easier to reverse-engineer than something like a C++ program. what i’m trying to say is, you don’t really have a choice to not use open-source software when you’re using the internet. the internet quite literally runs on open-source frameworks and libraries and tools of every kind.

many websites have hundreds of open-source dependencies. and most of these dependencies have some type of vulnerability. it’s a challenging situation because even if a given vulnerability has been fixed long ago, your browser or the webserver you connect to may not be executing the up-to-date version of that module. when your site requires hundreds of modules, and each of those modules requires many others, you often get in a situation where one of your modules relies on an outdated version of another module. there are also circular dependencies where one thing relies on one version of another which relies on something else and it ultimately folds back on itself. in either case, updating to the safe version of the module might break a website’s core functionality. so there are TONS of web resources hosted at this very moment that are simply tolerating the vulnerabilities, and others that are just in stasis due to the cessation of development.

i guess the point i’m trying to make is that, for better or worse, those pros and cons are baked into the fabric of the internet and are inescapable at this point. the most likely way for someone to attack you is probably through some kind of open-source code, but it’s also the open-source world that is leading the charge on the other side of that arms race, and there isn’t any option to get some proprietary version of the internet. unless you [want to try the innernette](https://www.youtube.com/watch?v=Y5BZkaWZAAA), that is.