[phkahler]

Interesting read. One thing seems to be missing, and that is any notion of participating in upstream development. In open source you don't have to just be a consumer, you can actively participate in the development of dependencies to varying degrees. They do point to people near the edge vs on the edge as having better practices, and I'd think that's because they at least follow and understand what's going on vs just using the latest. Following and understanding seems very close to participating, though they are different.

[stephen-magill]

This is something we studied in last year's report. Based on a survey similar to the one described in Chapter 4 we found that a mix of features measuring participation in the open source community was associated with positive security outcomes. It makes sense that if you follow the projects you're using closely then you would be more aware of security advisories and fixes for those projects. My favorite part was the term we used for this mix of features: Open Source Enlightenment :-)