No other general-purpose OS that runs on my laptop has the track record of OpenBSD: only 2 remotely exploitable security holes in the default installation since ~1996. And then the other mitigations let you control carefully what more attack surface to expose--those mitigations dramatically reduce it. I appreciate the general lack of privilege escalation 0-day exploits, as seen over time.
Serious question: How big is OpenBSD as a target for malware, exploits, viruses, etc. ?
OpenBSD's track record is impressive but is it a significant target compared to Windows, MacOS, and Linux?
It is easy to say "only two bullets have ever penetrated my armor" when hardly anyone is shooting at you. I do not know if this is the case because I have never used OpenBSD and I do not know how widely it is used (headless servers, embedded devices, etc.).
If that were true you might also expect FreeBSD and NetBSD to have similarly low levels of exploits, and my general impression (not research, just reading around) is that they have had more exploits in that timeframe (privilege escalation bugs, whatever).
You can read more about OBSD's security by going to https://openbsd.org then clicking the "Security" link near the top left.
ps: FreeBSD seems to have more users than OpenBSD, and NetBSD seems to have fewer users than OpenBSD.
On OpenBSD do you even need to compromise the kernel? Can't your normal user account install a backdoored browser, steal your ssh keys, DDOS people, start a VNC server, keylog, etc.
I guess that is possible if you try to do so -- compile your own stuff, or download and run it. But if you act normally instead, installing just what you actually need, from the package repository (where most things are "pledged" and "unveiled" which adds some impressive protections), I think the chances are much lower than with other OSes.
Also I separate things by user account, so I don't do my general browsing as the same user that does my programming, which is again separate from bank access, which is separate from .... So the kernel is providing a lot of protections.
(And I usually browse without images and javascript, which is not OS-specific but a suggestion. Many things I use don't require it, and I can flip it on or configure it specifically for those that do.)
