“Another risk associated with being open source is that there is no official service level for when packages must be updated to respond to identified security flaws, or vulnerabilities. Over the past several years, there have been a number of vulnerabilities discovered in sudo that took as many as three years to patch (CVE-2013-2776, CVE-2013-2777, CVE-2013-1776 ).”