C002 — OpenSSF Scorecard 5.4 Average: Wrong Population — Self-Audit

Contents

• Process Audit (Analytical Domains)
• Source-Back Verification

Process Audit (Analytical Domains)

Domain	Rating	Rationale
Evaluation Consistency	Pass	All three hypotheses were evaluated against the same Chainguard source, which was the only source reporting the 5.4 figure. The scorecard correctly identified it as medium reliability (corporate blog)
Synthesis Fairness	Concern	The synthesis relies heavily on a single source (Chainguard blog) for essentially all evidence about the 5.4 figure. While this is an accurate reflection of the evidence landscape — no other source wa

Source-Back Verification

Sources verified: 1

Discrepancies

• minor at https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard
• Assessment claims: The Chainguard analysis notes the 5.4 is 'typical' for open source based on past research
• Source actually says: The evidence packet quotes: 'past research suggests that these scores are typical. Historically, many open-source projects tend to have Scorecard scores between four and six.' This says 4-6 range is typical, not that 5.4 specifically is typical. The assessment slightly overstates the precision of Chainguard's generalization.

← Back to item overview