People think that open source is the answer to everything just like they think that the Blockchain can be implemented into everything and greatly benefit it but that is not true for the majority of the cases presented. Although I normally am an advocate for open source software exchanges are one of the exceptions to this. You do not publish the code on the internet when you are storing hundreds of thousands on your exchange. If you were to do this you would be exposing your code to many more black hat hackers than you would if you kept it closed source. You would also encourage white hats to commit to your code and make it better in that way but the risk of black hat hackers getting into your system is way too great.

The better option is to only have trustworthy members in the community open exchanges with a multisig address that acts as an insurance if everything fails and the exchange is breached. This multisig should be handled by people who are separate to the exchange but have handled more than what is in the fund while being extremely trusted members of the community. This is extremely complicated and has its downfalls for sure but would be a better alternative to openly distributing your code online when it is responsible for holding hundreds of members funds.

Any exchange that opens should be tested by multiple penetration testers before its released to the public.