All software, whether open source or commercial, faces attacks. With Linux’s source code open and viewable by all, anyone can identify and patch vulnerabilities. Many arguments for the security of open source software are based on the premise that "many eyes bring greater security." The reality is that few people can spot vulnerabilities by casually reading through source code. Compounding the issue, "there isn’t any official system for reviewing open-source code for security problems," notes Larry Seltzer of eWeek.com, adding "people don’t want to volunteer to do the boring, rote parts of a real security audit." Furthermore, when vulnerabilities are identified, it does not mean that they will immediately be fixed. The voluntary nature of open source means that some issues will be addressed quickly while others lay in waiting.

Given the different approaches to security of open source and commercial software, IT Professionals evaluate a platform’s security based primarily on three areas: responsiveness (How quickly are public security vulnerabilities fixed?), relative security (How bad are platform’s problems, relative to other platforms?), and thoroughness of response (What percentage of public security flaws are fixed?). In non-sponsored research, Forrester evaluated Windows and four key Linux distributions based on these three areas. It found that Microsoft had the lowest elapsed time between disclosure and release of a fix of all platform maintainers, had the fewest high-severity flaws of any vendor and 25 less than the next lowest, and was the only vendor to fix 100% of the flaws discovered.