Skip to content

C003 — H3:

Contents

Statement: The figures are accurately quoted from the OSSRA report, but the report's methodology makes them misleading. The audit sample is non-representative (biased toward M&A due-diligence codebases that tend to have more technical debt), and the year-over-year increase may reflect changes in the audit sample composition rather than genuine deterioration.

Supporting Evidence Would Show

  • The OSSRA report methodology section indicating the sample comes from M&A audits
  • Year-over-year changes in sample composition (different industries, sizes, or types of codebases audited)
  • Competing reports (Snyk, Sonatype) showing different vulnerability prevalence rates with different methodologies
  • Academic critiques of vendor security reports noting sampling bias

Eliminating Evidence Would Show

  • The OSSRA report demonstrating a consistent, representative sampling methodology
  • Other vendor reports showing similar vulnerability prevalence rates despite different samples
  • Evidence that M&A audit samples are actually representative of the broader software landscape

← Back to item overview