>
> He also thinks that even having a software out and used for a few
> years without incidence does not imply that it is secure. He says,
> the best way to evaluate the security of a product is to have it
> audited by security experts.
>
There is no one right answer for this. Payment for a discovery will tend to
bring out some discoveries. For example if I was looking over some code and
found something odd for the potential reward I may think it over a little
more to see what may come of it.
The time a product is out will increase the chances that some errors will be
found. But a lot of code is under constant change and new problems only take
one little coding error to open up a major exploit. Older products will tend
to be better understood and some errors will be harder to introduce.
Security "experts" are a dime a dozen.
What you want is software written and reviewed by competent programmers. The
fewer defects in software the fewer exploits (i.e. If I check my array
bounds I will not overflow a buffer). Good code will not crash and will not
be hacked.
