Story happens in imaginary universe, but I'm using current time "relativation".
vmWare Player type of application (but for free). I consider adding it to Open Source because everybody is saying how great it is and how fast bugs can be fixed.
There's couple stories to be told:
Side of Manager
I like the fact that everybody can contribute to our project, in order to improve it by using suggestions and trustworthy community. Therefore I posted it on GitHub.
Side of Hobbist
Hey, we're community of 10.000 active programmers. We do our jobs really well. We love this project, so we try to look at files and improve their functionality, performance and security. We find about 5 hours a week each to improve the project.
Side of Haters/Crackers
Hey, we're little group of 100 software crackers. We do our jobs as great as hobbists supporting this project. This project totally pissed us off. So we go on GitHub, analyze the code and decide on how we can strike. We download the legitimate code and change client/server handlers (to allow Heartbleed), that "owners" and contributors don't get to patch, and we use the breach to steal wanted data. And we get past this issue with a year, continuously stealing people's data and it finally gets patched. We find about 70 hours a week each to seek vulnerabilities.
So posting a non-profit project on GitHub or any alike site really that good move? It feels like posting your project on OS site makes it a Russian Roulette. Either you're going to be fast enough to find and patch vulnerability and get yourself good position in "Safe Software" lounge, or cracker are going to crack it easier, steal people's data and people will start disregarding software as unsafe.
Even worse for "managers" of software who will feel almost heartbroken when they want to create great usable and safe software to clients, while it turns out it's just a mine waiting to explode in your face.
I recently started contribution to a software on GitHub (oh boy, better run). And it would feel great to create at least project and find 30 people who like it as much as I do, to scan this code 30 times and make sure it can run at it's best and safest. But on the other side there's always malicious people. Are there any arguments you can throw against this statement? The idea is great, but realism (in my sight) makes it really bad.