On the security cost of using a free and open source component in a proprietary product