"You keep suggesting you're more comfortable hearing that your software might have a flat tire from someone you know rather than someone you don't."

Christ no! That was a side comment, speculation as to why *some* people may not have responded, and a bit of a dig at Fortify trying to expand from software tools to consulting with a FUD release. I don't "keep suggesting" any such thing.

The point I *have* kept hammering at has nothing to do with that. It's that Fortify seems to have been looking to make contact with these projects *on the phone*. Open source projects do not generally *have* full time contact people. The ones that do are either exceptionally well funded, or commercial projects that have been open sourced.

You don't contact open source projects on the phone. There's nobody ON the phone. There's plenty of people following bug trackers (which often have a "security" option to allow you to hide the bug from people who aren't members of the project, so that's a red herring), mailing lists, contact email addresses, and so on.

IN practice, and I've made this point before, but I'll make it again, *in practice* open source projects have a MUCH better track record of actually responding to and fixing bugs than closed source ones.

Microsoft, for example, is *still* casting aspersions on Safari over the "carpet bombing" incident, but the reason that IE was vulnerable (and still *is* vulnerable to related exploits... Safari's download bug (since fixed) just made it easier to exploit) is because of a design flaw in IE that Microsoft hasn't fixed and has apparently no intention of fixing... the fact that IE runs with the current directory set to the desktop (and is as far as I know the ONLY program that does this), and the default search path on Windows goes through the current directory (which still boggles my mind).

No, this isn't a simple matter to deal with, but this is NOT a matter where open source is, in general, what you should be worried about.