7595 security bugs in 32 leading OSS projects, including LAMP

On Wed, 08 Mar 2006 08:38:03 +0100, OK

In total, there were some 17.5 million lines of code examined. At an average rate of 0.434 bugs per 1,000 lines, we have, let's see... 17,500,000, divided by 1000, multiplied by 0.434, is some 7,595 bugs.

Carnegie Mellon's research suggests that commercial software has, on average, something closer to, on average, 25 bugs per 1,000 lines of code, which, on a codebase of 17.5 million lines would mean some 437,500 bugs, compared to about 7600. Considerably better, one would have to agree, than the norm.

Casper Jones suggests that a CMMI level 5 company (basically, one following best practices) should average about one bug per 1,000 lines, meaning that a 40 million-line codebase (eg XP) would ship with some 40,000 bugs. Or, scaling back to the examined 17.5 million lines examined, there should be 17,500 bugs. Not 7,500.

So OSS is obviously doing not merely a very good job... they're doing a job better than twice as effectively as the commercial folks using best practices.

57.6 times better than the commercial software norm. 2.3 times better than software following CMMI best practices.

Yup. OSS sure sucks.

-- MS, because work should be measured by effort, rather than result.