The code is open anyone to inspect, test, and improve. Vulnerabilities don’t stay hidden as they are found, reported, and fixed in the open.
That’s also a myth, specially for a project of the size of nextcloud. Bugs can and do go unnoticed for years while in plain sight - with no way to know if it’s been detected by any black hat.
Even worse: as soon as you merge a security fix in an open repository, people will instantly be trying to abuse it in any environment they can find that is currently running the unpatched version.
Proprietary software has its own version of that problem where companies are informed of a vulnerability by researchers and then just don’t bother to fix it until the researchers are forced to publish it 😅
I’d guess the number of competent eyes on large foss projects used by companies is probably higher than more consumer focused stuff like Nextcloud (does Nextcloud position itself as a corporate tool? Maybe it does and I’m just not aware of it…) but I’m not the most knowledgable on this subject so I could certainly be mistaken
Edit: I’m dumb and still mostly asleep, just saw its literally a nextcloud article lol
Or they just call it a under documented or undocumented feature (thinking specifically about the Azure feature to let you access other tenants if they are using that Tenable reported last June).
Everything you just said applies to proprietary software but worse lol
