Skip to content

C003 — H2:

Contents

Statement: The figures are accurately reported from the OSSRA report, but they are misleading because OSSRA audits are conducted during M&A due diligence, creating severe selection bias — the codebases audited are not representative of the broader software industry.

Supporting Evidence Would Show

  • Evidence from OSSRA methodology documentation confirming the M&A due diligence context.
  • Comparisons with other SCA vendor reports (Snyk, Sonatype) showing materially different vulnerability rates when sampling differently.
  • Academic analyses critiquing the OSSRA sample as non-representative.

Eliminating Evidence Would Show

  • Evidence that OSSRA audits cover a broad, representative sample beyond M&A targets.
  • Other vendor reports with different sampling methods showing similar 87% rates.
  • OSSRA documentation explicitly addressing and mitigating the selection bias concern.

← Back to item overview