The Atlantic Council on open-source policy

The Atlantic Council (described byWikipedia as "an American think tank in the field of internationalaffairs") has published alengthy report on the problem of security in open-source software andwhat might be done about it.

OSS is really not much different from proprietary software: allcode can be developed more securely, and the security risks OSSfaces are common across most digital systems. For OSS thedifferences come in the relationships between open-sourceconsumers-from government to the private sector to end users-andthe projects they rely on. The lack of clear transactionalrelationships and the deeply influential role of the diverse,ever-changing contributor community are a challenge for policy andindustry to navigate and support sufficiently. The result is anecosystem that has both enabled digital innovation and oftensuffered from overburdened developers and under-resourcedcommunities and projects.