You know Jon, the more I think about it the more it bothers me that you intimated that PaXTeam
and company may be acting out of self-interest. The reason it bothers me is that the shoe
fits better on the other foot.
Granted that PaxTeam and company might have a certain amount of incentive to play up Linux
security vulnerabilities, in order to increase their reputations at security researchers, but
Linux core devs have an even greater incentive to play down security vulnerabilities in order
to protect their reputations as kernel hackers. Likewise, companies which rely on Linux as
part of their revenue stream have a very strong incentive to play down, hide, or obscure
Linux's security problems.
I like to assume that everyone involved is honest and of good-will. This is a good starting
point. However, we have to admit that people are influenced by psychological motivations
other than their sheer desire to contribute to the greater good. If you are writing up the
release notes for the latest Linux kernel, it might sting your pride a little bit to write
something like "The following seventeen remote root exploits have been fixed since the
previous release.". (For example, the way the OpenBSD folks post prominently, at the top of
their home page, the count of how many remote exploits they've shipped. -- http://openbsd.org
.) If you are selling Linux to customers, then it might sting your revenue stream. But by
the same token, it might be good for you to force yourself to write that down and show it to
your users or customers.