Security researchers don't strictly need sources. An experienced reverse-engineer could read asm like you would read C. So for some people Windows has been open sourced in some way for a long time. They don't apply obfuscation techniques. I don't think that there will be a lot of bad bugs.