C003 — OSSRA Report: 87% Vulnerable, 581 Avg, 107% Increase — Assessment¶
Contents¶
All three figures (87% vulnerability prevalence, 581 average vulnerabilities per codebase, 107% YoY increase) are confirmed from the Black Duck 2026 OSSRA report. However, the sample consists of 947 commercial codebases undergoing M&A audits, not open source projects. This commercial audit sample systematically overrepresents codebases with deferred maintenance and neglected dependency management, making the figures potentially misleading when used to characterize the open source ecosystem generally.
Evidence Synthesis¶
Evidence quality: Robust — The primary source is the Black Duck 2026 OSSRA report blog post, confirmed by the SC World trade press and a PR Newswire press release. All three exact figures (87%, 581, 107%) are confirmed from the primary source. The OSSRA methodology (947 commercial codebases across 17 industries) is clearly stated.
Source agreement: High — All sources that report these figures agree on the exact numbers. The Black Duck blog post, SC World coverage, and PR Newswire press release all cite 87%, 581 average vulnerabilities, and 107% year-over-year increase without discrepancy.
Independence: Limited true independence. SC World and PR Newswire are reporting on the same primary source (Black Duck OSSRA report). They provide independent confirmation that the report says what it claims, but not independent corroboration of the underlying findings. No independent audit or replication of the OSSRA methodology exists.
Probability Assessment¶
- C003-H1: Almost certain(ly) (95-99%)
- All three figures are confirmed verbatim from the primary source (Black Duck OSSRA 2026 blog post). The report is the 2026 edition analyzing 2024 audit data. All figures come from the same report edition.
- C003-H2: Very unlikely (05-20%)
- No evidence supports this hypothesis. All three figures are confirmed from a single report edition (OSSRA 2026). There is no indication of cross-edition conflation or inaccuracy.
- C003-H3: Very likely (80-95%)
- The OSSRA report explicitly states 'analysis of 947 commercial codebases across 17 industries.' These are M&A audit targets, which systematically overrepresent codebases with deferred maintenance. The 2024 OSSRA methodology documentation confirms the sample comes from 'Black Duck Audit Services during 2024' — commercial software audits, not randomly sampled open source projects. This creates a significant generalizability concern when using these figures to characterize the open source ecosystem. Verdict: The claim is Almost certain (95-99%) as a statement about what the OSSRA report says. However, the figures describe commercial codebases undergoing M&A audits, not the open source ecosystem generally. The sample bias qualification (H3) is Very likely (80-95%) and materially affects how the figures should be interpreted.
Evidence Gaps¶
Expected but not found: - No independent replication of the OSSRA methodology using a different sample was found. - No study comparing OSSRA figures to vulnerability rates in actively maintained open source projects was found. - The full OSSRA PDF report was not fully fetched; the blog post summary was used as the primary source.
Unanswered questions: - What would the vulnerability rate be if measured against actively maintained open source projects rather than M&A audit codebases? - How much of the 107% increase reflects growth in vulnerability database coverage vs. actual ecosystem deterioration?
Impact on confidence: Confidence in the literal accuracy of the claim is high. Confidence in the claim's applicability to the open source ecosystem is moderate, reduced by the sample composition concern. The absence of comparative data from non-M&A samples prevents calibrating how much the M&A bias inflates the figures.