There is no such thing as an open or closed CVE. Conflating "description is public" with "has been patched" would be wrong, but claiming that all existing CVEs ever are "open vulnerabilities" is nonsensical.
However, the downside of publicly reporting vulnerabilities is that everyone has this knowledge and does not need a team of pen testers to find these vuln's, correct?
Is there any public info on linux/macos/win desktop patch rates?
I have personally been screwed by Ubuntu patching. I am not a total idiot and I assume I can't be the only one.
edit: I realize that I have foot in mouth syndrome in this thread, but does anyone have real world patch rates on desktop OSes?
Also, am I way off in the thought that publicly posting CVEs allows less technical adversaries to attack you? I believe in the benefits of OSS, but everything has positives and negatives.
If desktop linux has lower patch rates, as is my experience, then maybe we shouldn't be recommending desktop linux to everyone?
These are honest questions in the hope of learning.
It's generally accepted that open published CVEs push vendors to actually patch their software, instead of covering up and ignoring bugs. It also gives you a heads up that the software your running has an issue and you need to update. It's tempting to think that making this knowledge publicly available gives the bad guys a roadmap, but in security you really can't just assume that because a vulnerability isn't public knowledge the bad guys won't know about it.
Frankly with the proliferation of the vulnerability black market, lack of public disclosure of CVEs would mean that only the black hats know it.