Report Endnotes

Securing Open Source Software at the Source

Creating a Center for Open Source Software Infrastructure and Security

  1. In software engineering, the codebase is the collection of source code used to build a software system — like the bricks of a building.
  2. Synopsys, “2021 Open Source Security & Risk Analysis Report,”
  3. “Cyberspace Solarium Commission Report,” March 2020,
  4. For a full definition of “open source software,” see Appendix A of the Federal Source Code Policy,
  5. “Usage statistics of Linux for websites,”
  6. The MITRE Corporation, “Use of Free and Open-Source Software in the U.S. Department of Defense,” Jan. 2, 2003,
  7. Synopsys.
  8. Netcraft, “Half a million widely trusted websites vulnerable to Heartbleed bug,” Apr. 8, 2014,
  9. FTC, “Equifax Data Breach Settlement,” Jan. 2020,
  10. Brian Barrett, “How 4 Chinese Hackers Allegedly Took Down Equifax,” Feb. 10, 2020,
  11. CISA, “Top 10 Routinely Exploited Vulnerabilities,” May 12, 2020,
  12. Greg Walden and Gregg Harper. “Letter to Mr. Zemlin,”
  13. The White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 12, 2021,
  14. James Turner, “Open source has a funding problem,” Jan. 7, 2021, source-has-a-funding-problem/
  15. The Linux Foundation and The Laboratory for Innovation Science at Harvard, “2020 FOSS Contributor Survey Report,”
  16. Liran Tal, “Open source maintainers want to be secure, but 70% lack skills,” Feb. 26, 2019, source-maintainers-want-to-be-secure-but-70-lack-skills/
  17. The Linux Foundation and The Laboratory for Innovation Science at Harvard.
  18. National Critical Functions (NCFs) define functions of government and the private sector that represent the most strategic risks of the nation. See: CISA, “National Critical Functions,”
  19. CVSS is a framework for describing the characteristics and severity of software vulnerabilities. See: NVD, “Vulnerability Metrics,”
  20. NVD is a U.S. government database of vulnerability data that is available to the public. See: NIST, “National Vulnerability Database (NVD),”
  21. The Census Program identifies commonly used free and open source software components and examines them for vulnerabilities. See: “Vulnerabilities in the Core,”
  22. The Criticality Score is an effort to rate open source projects based on how critical they are to the entire community. See: Google Open Source Project, “Finding Critical Open Source Projects,”
  23. Tim Graham, “Django Fellowship Program: 2016 retrospective,” Dec. 28, 2016,
  24. “Cyberspace Solarium Commission Report,” March 2020,
  25. “Homeland Open Source Technology Fact Sheet,” July 29, 2015,
  26. CISA, “CISA Invests in Cutting-Edge Election Security Auditing Tool Ahead of 2020 Elections,” Nov. 21, 2019,
  27. European Commission, “EU-FOSSA 2 Deliverables,”
  28. European Commission, “EU-FOSSA 2 - the EU’s open source cybersecurity project ends,” July 14, 2020,
  29. Ford Foundation, “Critical Digital Infrastructure Research,”
  30. Chan Zuckerberg Initiative, “Essential Open Source Software for Science,”
  31. Shane Greenstein and Frank Nagle, “Digital Dark Matter and the Economic Contribution of Apache,” Oct. 2013, Research Policy, 43(4), 623-631,
  32. GFDDR, “Open Data for Resilience Initiative & GeoNode: A Case Study on Institutional Investments in Open Source,” 2017,
  33. Frank Nagle, “Government Technology Policy, Social Value, and National Competitiveness,” Mar. 21, 2019,
  34. Frank Nagle, “Why Congress should invest in open source software,” Oct. 13, 2020, source-software/
  35. Trey Herr, et al., Mar. 29, 2021, “Broken trust: Lessons from Sunburst,”