C002 — OpenSSF Scorecard 5.4 Average: Wrong Population — Input¶
Contents¶
Original Text¶
The average OpenSSF Scorecard score across the top one million critical open source projects is 5.4 out of 10.
Clarified for Testability¶
The mean OpenSSF Scorecard aggregate score across a population described as the 'top one million critical open source projects' (as defined by OpenSSF criticality criteria) is 5.4 on a 0-10 scale. This implies that even the most important OSS projects score barely above the midpoint on security best-practice metrics.
Embedded Assumptions Surfaced¶
- Assumes 'top one million critical open source projects' is a defined population — this likely refers to the OpenSSF Critical Projects list, but the methodology for selecting these million projects is itself a variable.
- Assumes 'average' means arithmetic mean, but median or other measures might tell a different story.
- Assumes the 5.4 figure is a current or recent measurement, but the Scorecard methodology and weights have evolved over time, so the same projects could score differently under different versions.
- Assumes the Scorecard's 0-10 scale is meaningful as an absolute measure of security posture rather than a relative ranking tool.
Scope¶
| Dimension | Value |
|---|---|
| Domain | Open source software security — supply chain security metrics and scoring |
| Timeframe | 2022-2025 (period of OpenSSF Scorecard maturity and adoption) |
| Testability | Testable via OpenSSF Scorecard project publications, BigQuery public datasets of Scorecard results, and academic analyses of Scorecard distributions. |
Vocabulary Map¶
Primary Terms: OpenSSF Scorecard, Scorecard score, critical open source projects, supply chain security
Domain Variants: OSSF Scorecard, Security Scorecards, OpenSSF security metrics, ossf/scorecard, Scorecard checks
Related Concepts: OpenSSF Criticality Score, software supply chain, SLSA, SBOM, Sigstore, software security posture, dependency risk scoring