I wouldn't put the blame on the metric just for existing. It still needs to be applied in the correct contexts. If the score is meant to determine criticality, then opportunity wouldn't be very...
I wouldn't put the blame on the metric just for existing. It still needs to be applied in the correct contexts.
If the score is meant to determine criticality, then opportunity wouldn't be very relevant. There's probably tons of well-written and useful tools out there still in their nascent stages, but they wouldn't be considered critical yet.
I expect OpenSSF would use this for tasks like prioritization of security audits.
And just like that, thousands of really great projects will be thrown to the wayside based on their criticality score and not on their opportunity.
I wouldn't put the blame on the metric just for existing. It still needs to be applied in the correct contexts.
If the score is meant to determine criticality, then opportunity wouldn't be very relevant. There's probably tons of well-written and useful tools out there still in their nascent stages, but they wouldn't be considered critical yet.
I expect OpenSSF would use this for tasks like prioritization of security audits.