Skip to content

C003 — H3:

Contents

Statement: The figures are accurate for the OSSRA sample but are misleading as a characterization of the open source ecosystem because the OSSRA sample consists of commercial codebases undergoing M&A due diligence audits, which systematically overrepresent neglected or legacy codebases with known dependency management problems.

Supporting Evidence Would Show

  • OSSRA methodology documentation confirming the sample comes from commercial M&A audits.
  • Evidence that M&A audit targets have systematically different vulnerability profiles than actively maintained projects.
  • Other studies of open source vulnerability prevalence showing substantially lower rates.
  • Critiques of the OSSRA methodology noting selection bias.

Eliminating Evidence Would Show

  • Evidence that the OSSRA sample is representative of commercial software generally, not just M&A targets.
  • Other industry studies finding similar vulnerability rates in commercial codebases.
  • OSSRA methodology showing the sample is drawn from diverse contexts, not just M&A.

← Back to item overview