More likely, the software actually leaks like a sieve, and NEITHER group has even scratched the surface..
How many leaks did the OpenBSD team find when they proactively audited their entire codebase for the first time a few years ago? This would be an indication of just how leaky an O/S might be expected to be.
Remember - every single 0-day that surfaces was something the black hats found first.
And 0-day exploits are only the ones that the blackhats are willing to talk about. If they keep quiet about an exploit and only use it for industrial espionage and other electronic crimes then we are unlikely to hear about it until a whitehat stumbles across the blackhat's activities. Rather like the cuckoo's egg or the recent complex exploit involving IE and the MS Help tool. Have any of your customers ever asked you for a traffic audit report showing every IP address that has ever sourced traffic to them or received traffic from them? --Michael Dillon