Published: June 2015
Authors: David A. Wheeler, Samir Khakimov
Census I was a 2015 report developed under the Linux Foundation’s Core Infrastructure Initiative (CII) to identify open source software (OSS) projects most needing security investments. It surveyed various approaches for identifying OSS projects needing security investments. It then assessed a set of packages in the Debian Linux distribution using metrics such as contributor activity, popularity, CVEs, and network exposure. As a result, it produced a list of the “riskiest” OSS of the time that needed investments. Note that one of these “riskiest” OSS was xz-utils, which was later targeted by a malicious attacker. The insights from this effort laid the foundation for prioritizing security investments in open source software.
Legacy and Evolution
The Core Infrastructure Initiative (CII) set the groundwork for security-focused methodologies in open source. While CII is no longer active, its efforts have evolved under OpenSSF programs. The Census I report remains a key reference for understanding and addressing the criticality of open source projects. The source code developed to create the Census I report is available as OSS.
For more details, download the whitepaper “Open Source Software Needing Security Investments.”
