Well we are comparing apples and oranges here because this small open source repo most certainly have less people looking at it than Intel have engineers working on ME.
Who said this is a small open-source repo? Node.js has one of the most active OSS communities on the web, with many contributors and developers looking at the code, consuming and working on security and fixing bug reports daily.
Also, a single company provides limitations - you've got blinders on, and your project isn't open for those with a different perspective to come in and take a look and notice something. I honestly think that fresh, open, and global perspective is truly key the success of OSS.
Large communities of open source developers are no panacea, look at shellshock or all the various OpenSSL libs. Those bugs stayed present for years in highly used software...
A large community of devs who are focused on security would indeed be good for a projects security, but that's not always their number one priority.
Yes, my point is that we're just throwing anecdotes here, picking examples that suit the augment. It's not proven than one model is better than the other, otherwise we'd all just use the best one and that's all.
> your project isn't open for those with a different perspective to come in and take a look and notice something.
Yes, but consider the fact that a malicious party can also do this kind of analysis. For the record I'm not advocating for closed software, on the contrary, but merely pointing that the matter is more complex than it looks like on the surface.
