Re: Well done NATO!
FFS, give that one a rest! It's bollocks.
The pros all say that if you really want to find vulns in Open Source software, techniques such as fuzzing are the way to go[1]. Scrutinising code only serves to give you a headache. It might find a known vuln type squirreled away somewhere that nobody's thought to look for it before, but it won't find that new attack vector[2] that's the holy grail here.
[1] And a consistent detection approach that works on all software is the better way anyway.
[2] 'Cos you don't know what to look for, of course!