I once put an easter egg into some open source code used by many millions of people. Nobody found it until a colleague talked about it at a conference maybe a decade later.

People talk about audits, I at least don't think audits can be relied upon to find much. It's nice when audits happen, don't misunderstand, but I don't assume that opening the source of something means that any badness will be found. That assumption requires several leaps of faith.