I trust people doing it largely for themselves and the community reputation _more_ than I trust people who are expected to deliver more returns every year in a stagnating market.
But you don't know if someone is doing it for themselves and community reputation, or if they're a fake persona created by someone who wants to break into servers. All it takes is one stereotypically-stubborn open source maintainer who gets grumpy about switching old reliable cryptographic defaults for kids-these-days defaults - which is a thing that real-world stubborn open source maintainers, on whom the stereotypes are based, do: https://sourceware.org/bugzilla/show_bug.cgi?id=13286
Do you know if the version of OpenSSL in your Debian has any patches to its cipher suite selection algorithm, compared to upstream? (Genuine question; I haven't checked.) If it did, and you saw someone being grumpy on a Debian bug and refusing to remove the patch, would you suspect that they were actually evil? Or just grumpy?
Remember, also, that Debian is the distro that patched their OpenSSL to ludicrously weaken the random-number generator, and the Snowden leaks confirmed that the NSA backdoored a random-number algorithm. I am not at all saying that the NSA was behind the patch (it looked genuinely like an oversight), but if the NSA wanted to be behind a similar patch, no one would think it abnormal.
That's totally fair, but I hope that each of those organizations has a vested interest of exposing each other; at the very least it's in the NSA's charter to protect American businesses against attacks, I have no idea if they feel this is an effective way though. So yes, it's risky.
But Microsoft has all those disadvantages too, even though it's harder to get moles inside it's easier to have their stuff undetected (and in the case of the NSA it might even be done with full cooperation). Plus, the market share makes them a bigger target.
Outside probably hypotheticals, what we know for certain is that microsoft is attempting to monetize their new windows on the back of user's data.
While I mentioned the NSA, really the bigger threat is a guy (or hacker group) who wants to pull off a million dollar heist. The NSA can get into (practically) anything and everything.
To get a job at MS, you have to have a real life reputation. Once you get in, there will be others analyzing your code, and your bug may not make it to release.
To insert a bug into Debian, become a packager and you're done. Access to one of the most popular server (the important stuff is here) OSs (Debian, Ubuntu) on the web.
You're busted? Create another account and start over.
If the NSA were trying to protect American businesses against attacks, they would responsibly disclose vulnerabilities they discover. But for me most part they hoard them.
