There are different kinds of security. Using the bank analogy, banks have a vault.

They want everyone to know how thick the walls of the vault are and what kind of steel it’s made from. Knowing this doesn’t make it easier to steal from the bank. If anyone was able to cut into a vault, every bank would know immediately and would probably change their vaults.

Some vaults have combination locks. If anyone finds out the combination, then it doesn’t matter how thick the walls are, that vault is useless, and nobody will know.

Other vaults have key locks or time locks. Knowing that the vault has a key lock or a time lock doesn’t help you open it.

Open source software is like telling everyone how thick the walls of your vault are and using keys or time locks that can’t be opened with a secret. It also promotes a community of people who all care about keeping vaults safe and who can share best practices without helping criminals.

Just publishing your code doesn’t make it safe. Having a community of smart people working with it and improving it does. The Linux kernel that is running most of the internet is possibly the most inspected code in the world. You don’t have to understand it all yourself for it to be safe, because others who have more to lose from a breach than you do are doing that.

Imagine baking a cake, and the recipe is the source code.

For closed source, the bakery will keep the recipe a secret, so the best cake they can make is only up to their best baker. When something isn’t done optimally, nobody knows why the cake doesn’t taste as good, it will just taste bad.

For open sourced, the entire recipe is open to the world. When something works or something can be improved, everyone in the world can contribute to it.

Yes, someone malicious can contribute bad ingredients, but someone else would’ve noticed it and correct it almost immediately.

> Doesn’t open source make it easy *for hackers* to find vulnerabilities

Hackers are already spending insane amounts of effort to find vulnerabilities if the payout is huge, open source makes it easy *for everyone else* to find them with minimal effort.

The amount of people who can and are willing to look for vulnerabilities when they aren’t hindered vs the amount of hackers who will do it either way is huge, so most of the time the former will find it first, notify the developers, then the developers fix it.

The idea is that by being open sourced, everyone can look at the code and see where the vulnerabilities are and will try to fix it. If there is one hacker who finds an exploit, there will probably be dozens of people who found it also and have a patch for it. That’s one way of open source being more secured.

The other way is that the original developer can decide how the patches and improvements are delivered to the customers. Some (most) developers require patches and improvements be submitted back to the developer, so they can be examined before being pushed to the customers.

People can certainly create a copy of the software using the original source code that then contain malicious codes. However, it wouldn’t be the original software anymore, but a fork.

Depending on what your thresholds are, all software where the executable files are accessible and readable could be considered to be open source. People who have sufficient resources and/or experience can read the executable files (i.e. machine-readable source code) and reverse engineer them into human-readable source code to understand how a program works. Or, more likely (because it’s a smaller surface to look at), they’ll reverse-engineer security patches/updates to understand what the patches fix, and try to work out how to exploit the things the patches are trying to fix in unpatched systems. And once that knowledge is discovered by one person, it can be easily replicated and sent round the world.

Where human-readable source code is made freely available by the developers, the resources required to understand how a program works are substantially reduced, so the number of people who can look at that code and suggest changes is substantially increased. That’s the hope of free and open source software – by allowing anyone to essentially have the same information that program developers have, enough people will want to improve the software that it is a net benefit to the users of the software.

As far as I know, most open source projects (and most software projects) use some sort of Version Control Service (VCS) such as GitHub. These services allow projects to be posted publicly and managed by admins. Anybody can submit changes but admins review then accept or deny them as well as resolve conflicts if other changes occurred before the submission.

You have a brick wall. The recipe for a brick wall is well known: bricks and mortar laid in a pattern.

You have people on both sides of the brick wall looking for cracks in the brick wall.

Some folks will try to push something through the crack that doesn’t belong, but others will be trying to patch up those cracks with new material that prevents people sticking bad things inside the wall.

Knowing how something works isn’t a vulnerability.

​

In your bank example, if you know the bank requires a keycard+PIN to get through secure doors, knowing that fact doesn’t help you, you still need to get your hands on a keycard and PIN to open those doors.

​

If you’re thinking: “I’ll just make my own keycards and PIN”, the information on those cards that makes them valid in the bank’s security system isn’t part of the openly available information and registering a PIN requires you to already have access to the system.

Each user of an open-source system configures their own secure data and keeps it secret from the public.

​

As for contributing malicious code:

You can *ask* the maintainer of an open-source project to include your code. If they don’t know you they will (hopefully) read through the code you’re asking to include, ask you questions about it and if they don’t like what they see or hear they will just deny your request.

You can add your code to your own version of the software but you would have to convince people to use your version instead of the original and a bunch of people will look at your version of the software purely out of curiosity and if they find anything suspicious they will tell everyone they know to stay away from your software.

You have different scales of programs in terms of volume. Let’s suppose you download a program that’s only 2KB in size, a few lines of code and it purpose is to increase the brightness of your screen. It does so by using the same mechanism Windows uses. It is just a handy program that helps you do it faster. No problem there. Now imagine a 500MB program that is an audio player, cloud service, etc ( imagine something as Spotify ) . That is not “only” a small program but a set of several files that may depend on other files ( following with Spotify example, it has the Spotify program and also has a kind of Google Chrome inside. ) So if any of those small programs, or libraries or anything, is vulnerable, most probably all the rest of the program is.
So, the potential vulnerability of the code depends on a lof of thing. The size, the number of elements it is made of, etc. In digital security they call it “attack surface” . In simple terms it is something like the more you encompass, the more you expose yourself.
Open Source software can rely on closed source software. Meaning you have an open source program that does something but through other programs. Again, I’ll tell , the more complexity, higher the risk

The idea behind open-source software is that there are more “good” people who want the project to succeed because they find it useful than “bad” people who want to use it maliciously.

The more “good” people you have looking at the code and scrutinizing it, the less likely a “bad” person will be able to introduce malicious code to the program.

Also in most open source projects, there’s a system of checks and scans both automated and manual by the maintainers that take place before code is “merged” into the existing program and distributed for other people to use, making it very difficult for someone to just slip in malicious code.