You can grab a firmware image from any closed-source appliance and immediately find dozens or hundreds of security problems that you know will never be fixed except possibly in your copy. They probably won't get fixed even if you talk to the manufacturer about them; in fact you run the risk of the manufacturer convincing the police to raid your home, or of the manufacturer suing you.
Now try the same with open-source software. There will be far fewer problems to find, because all of the obvious ones have been fixed already, and most of the difficult ones too. Even if you do find a problem, as soon as you put some information out there about it it'll be fixed. Upgrades invariably happen more quickly with open-source software, even in firmware roles, so the population is covered more quickly as well.
That's what is meant by 'given enough eyes'; not that all bugs are found and fixed immediately, but that all bugs are found and fixed eventually. OpenSSL simply didn't have enough eyes, for a variety of reasons. Developers in the US were discouraged from contributing, since our legal system has in the past been a risk to that kind of project. Many developers avoided it because they didn't know anything about old systems like VMS, or about cryptography. Most of the rest of us avoided it because it wasn't obviously broken.
Edit: We also generally assume that the NSA has 'enough eyes'. If they decide that they have to attack product X, then they get a bunch of people to look at product X and find its bugs. It doesn't matter whether it's open source or not, it's just a question of the number of eyes you apply to the problem.
Now try the same with open-source software. There will be far fewer problems to find, because all of the obvious ones have been fixed already, and most of the difficult ones too. Even if you do find a problem, as soon as you put some information out there about it it'll be fixed. Upgrades invariably happen more quickly with open-source software, even in firmware roles, so the population is covered more quickly as well.
That's what is meant by 'given enough eyes'; not that all bugs are found and fixed immediately, but that all bugs are found and fixed eventually. OpenSSL simply didn't have enough eyes, for a variety of reasons. Developers in the US were discouraged from contributing, since our legal system has in the past been a risk to that kind of project. Many developers avoided it because they didn't know anything about old systems like VMS, or about cryptography. Most of the rest of us avoided it because it wasn't obviously broken.
Edit: We also generally assume that the NSA has 'enough eyes'. If they decide that they have to attack product X, then they get a bunch of people to look at product X and find its bugs. It doesn't matter whether it's open source or not, it's just a question of the number of eyes you apply to the problem.