I'm afraid this is not entirely true (but I know I'm taking it to the extreme here):
The firmware is not open source - as vendor NDAs prevent us from releasing a source code that would be of any use to our users. However, the specifications are fully open and detailed, and all cryptographic operations are deterministic, which allow any user to verify that the card is answering what it should and that there is no side channel.
Source:
http://support.ledgerwallet.com/knowledge_base/topics/is-it-open-source?from_search=true