A couple decades ago, free software was the target of much FUD, notably regarding its security. But free software evangelists could easily reply to Microsoft and other vendors that Mozilla's browser had much less flaws than Internet Explorer.

In fact, the reality was that many more flaws were being discovered in MSIE than in Firefox. Mostly because people had much less interest in finding flaws in Firefox than in MSIE. Firefox's rise would prove in just a few years that Mozilla was far from immune to security flaws.

The continued flood of free software has meant free software vulnerabilities now have an impact similar to those in proprietary software. Catastrophic flaws from the last decade in OpenSSL and Log4j have started to show some of the FUD was quite accurate.

KNP has been decrying software mediocrity for years, but things don't change overnight. I was involved in projects for which quality, including security, is - at best - an afterthought. Even (internally) known security flaws can remain for years, while fresh ones are being added.

There are lots of free software components which vary a lot in quality and in so many aspects, but most have something in common: either their quality is mediocre, or they don't exist. And while many users may be willing to put up with mediocre quality in many ways, organizations may have difficulty ignoring bad security track records.

Research suggesting some 40% of professionals have already scaled back their use of OSS may be worrying, but the timing matters, and the importance of that decline was not measured. Better late than never. It's still time to react, and OpenSSF's promises are good reason for hope, but many open source projects need to perform a fundamental reprioritization.