Comment by sroussey

I can't speak to the data analysis part, though I do believe some people have looked into it, and hopefully they can add their thoughts.

From my experience, the answer is: it depends very much on the community the project has.

First, the obvious positives: you could have lots of people with lots of different kinds of experience looking at the code, finding and fixing things.

This is how I got involved in Firebug back in the day. But I also noticed that while millions of developers used it daily, the number that got all the way to the issue reporter were small, and the number that posted fixes in an issue were minimal (I got to know them by name). Only once do I remember a security issue being reported, considering that extensions had such broad and unlimited access back in then.

So, if it does not invite that kind of community, then it is possible to be a net negative with only blackhats having a reason to inspect the code. OR, you have a social problem within the community (also common), where people assume that with such a large community, surely someone looked at X. Everyone thinks that, so no one looks at X. Years later someone does and finds some surprising things in code that withstood the test of time.

That said, I think the case of UEFI would be different. It might be a good candidate for shared source at least, if it isn't already.