As part of its participation in the Open-Source Security Foundation (OpenSSF), Google has developed a system for ranking open source projects based on their importance to a given area. Launched by Google and its OpenSSF peers, the Criticality Score system allows organizations to determine which projects deserve more attention and who should provide support and funding first.
The Criticality Score system uses an algorithm developed by the famous programmer Rob Pike, who at one time participated in the creation of Unix, Inferno and Plan 9 operating systems, Go and Limbo programming languages, etc.
According to the Criticality Score, the importance of open source projects to the industry is rated from 0 (minimum criticality) to 1 (maximum criticality). The assessment is based on the following criteria:
- Age of the project (factor 1);
- Date of the last update (coefficient -1);
- Number of participants (this criterion is key, coefficient 2);
- The number of organizations whose members are participants (coefficient 1);
- The frequency of adding commits (factor 1);
- Number of releases in the last year (coefficient 0.5);
- Number of updates and bug fixes for the last 90 days (coefficient 0.5);
- Comment frequency (factor 1);
- Number of projects mentioned in commit messages (this criterion is key, factor 2).
Organizations can also add their own criteria and change coefficient values. The assessment of the importance of the project is carried out automatically using the criticality_score utility based on information from its repository.
Currently, several categories of critical projects have been identified, divided depending on the programming language. You can get acquainted with them here .