C003 — OSSRA Vulnerability Figures: Accurate but Contextual — Assessment¶
Contents¶
The claim is almost certainly accurate as a direct quotation from the OSSRA 2026 report. However, the 107% increase is very likely influenced by measurement factors — codebase size grew 74% in files and 30% in components, the CVE database grew 263% over 5 years, and the Linux kernel CNA addition contributed 5,000+ new CVEs during the audit period. The OSSRA sample (947 codebases from M&A due diligence) is not representative of all codebases. Critical/high-severity vulnerability prevalence actually decreased slightly despite the total count increase. The researcher should present these as OSSRA audit findings with full contextual caveats, not as representative of all software.
Evidence Synthesis¶
Evidence quality: Robust — The primary source (OSSRA 2026 PDF) was found, and two independent media sources (SC World, LinkedIn) confirm the specific figures. NIST provides authoritative context on CVE growth.
Source agreement: High — All sources agree on the specific figures: 87%, 581 average vulnerabilities, 107% increase. Multiple sources also converge on contextual factors (codebase growth, CVE database expansion).
Independence: The 87%, 581, and 107% figures all originate from a single primary source (OSSRA 2026 report). Media coverage confirms but does not independently verify. NIST CVE growth data is an independent contextual source.
Probability Assessment¶
- H1: Almost certain(ly) (95-99%)
- The OSSRA 2026 report (947 codebases, 17 industries, Nov 2024-Oct 2025) reports exactly 87%, 581 average, and 107% increase. Multiple independent media sources confirm these figures.
- H2: Very likely (80-95%)
- The OSSRA data comes from audits of commercial codebases, primarily during M&A due diligence. Black Duck itself handles 500+ M&A transactions per year. This creates significant selection bias — M&A targets are not representative of all codebases. However, the figures are accurately reported from the OSSRA report.
- H3: Very likely (80-95%)
- SC World reports the 107% increase correlates with 74% growth in files per codebase and 30% growth in components. NIST reports 263% CVE submission growth 2020-2025. The Linux kernel CNA addition added 5,000+ CVEs during the audit period. The increase substantially reflects measurement expansion, not purely security degradation.
- H4: Almost no chance (01-05%)
- All three figures are confirmed from the OSSRA 2026 report by multiple independent sources. The figures are not conflated from different reports. Verdict: The claim is almost certainly accurate as a quotation from the OSSRA 2026 report (95-99%). However, the 107% increase is very likely (80-95%) influenced by measurement factors (codebase growth, CVE database expansion) as much as by actual security degradation. The OSSRA sample is very likely (80-95%) not representative of all codebases due to M&A-driven sampling. The claim should be used with these important caveats.
Evidence Gaps¶
Expected but not found: - Independent academic validation of OSSRA sampling methodology and representativeness. - Comparison with non-M&A-driven audit populations (e.g., Snyk annual report data) showing different prevalence rates.
Unanswered questions: - What would the vulnerability prevalence rate be in a randomly sampled population of codebases rather than M&A targets? - How much of the 107% increase is attributable to CVE database expansion vs. actual codebase security changes?
Impact on confidence: The gaps do not affect confidence in the accuracy of the OSSRA figures themselves, but they significantly limit the generalizability of those figures to 'codebases in general.' The researcher should present these as 'OSSRA audit findings' rather than as representative of all software.