The Linux Foundation has published its latest report, Census III: Identifying Critical Open Source Software, a deep dive into the state of the open source software (OSS) ecosystem. Produced in collaboration with Harvard's Laboratory for Innovation Science, the report examines the most widely used free and open source software (FOSS) libraries and their evolving role in today’s digital infrastructure.

Leveraging data from production environments across more than 10,000 organizations, Census III highlights the opportunities and risks inherent in the OSS ecosystem. The initiative was supported by software composition analysis leaders such as Black Duck, FOSSA, Snyk, and Sonatype.

“FOSS is now ubiquitous, forming the backbone of modern technology infrastructure,” said David A. Wheeler, Director of Open Source Supply Chain Security at the Open Source Security Foundation (OpenSSF). “However, this success has also attracted adversaries seeking to exploit vulnerabilities. Census III provides critical insights to guide investments in securing and sustaining open source.”

Key Findings from the Census III Report

The report outlines several trends shaping the OSS landscape:

1. Cloud-centric growth: Libraries tailored for cloud computing are increasingly in demand.
2. The Python 3 transition: Migration from deprecated Python 2 remains ongoing, highlighting evolving software standards.
3. Diverse repositories: While Maven packages remain dominant in Java development, Python and .NET repositories (NuGet) are rapidly gaining traction.
4. Emerging technologies: The Rust programming language has seen a significant rise in adoption since earlier Census reports.
5. Legacy software challenges: Outdated but widely used code complicates long-term sustainability.
6. Resource constraints: Many critical libraries are maintained by small groups of contributors, underscoring vulnerabilities tied to limited resources and account security.
7. Standardisation gaps: A lack of consistent naming conventions complicates dependency management, exacerbating supply chain vulnerabilities.

FOSS in the Crosshairs of Cybersecurity

The decentralized nature of OSS, a hallmark of its innovation, presents unique challenges. Key contributors to foundational libraries often operate independently, making them potential points of failure. “A single anonymous GitHub account maintaining a critical component poses significant cybersecurity risks,” said Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck.

The report emphasizes proactive investment in OSS security to mitigate risks and sustain the ecosystem. “As open source’s influence continues to grow, securing its foundations is more important than ever,” remarked Kevin Wang, CEO of FOSSA.

Building on a Legacy of Research

Census III is the latest in a series of studies aimed at assessing OSS's global impact. The first Census in 2015 focused on software within the Debian Linux distribution. Census II expanded to language-level packages widely used by enterprises. The current report takes a step further, analyzing anonymized data from industry partners to better identify vulnerabilities and prioritize interventions.

Brian Fox, Co-Founder and CTO of Sonatype, said: “With this report, we empower organizations to make data-driven decisions about securing their software supply chains, ensuring OSS can continue to drive innovation safely.”

The Path Forward

As governments and industries deepen their reliance on OSS, the call for collaboration and investment becomes increasingly urgent. “Understanding the health and security of open source is critical for its long-term sustainability,” said Hilary Carter, SVP of Research at the Linux Foundation.

The findings in Census III are a wake-up call for stakeholders to address emerging threats, invest in contributor support, and develop standardized practices for managing software dependencies. As OSS adoption accelerates, fostering a secure and resilient ecosystem is no longer optional—it is essential.

Danny Allan, CTO at Snyk, summarized the report’s significance: “By combining community-driven data with analytical rigor, Census III equips the industry to identify and address critical dependencies, paving the way for a stronger open source future.”

The report underscores the shared responsibility of securing open source software to enable continued innovation, resilience, and trust in the digital economy.

‍