Open Source Risk Assessment Checklist

For engineering leaders · 5 steps · ~15 minutes · Print or save as PDF

Step 1 — Inventory your top 20 critical dependencies

1 List your top 20 critical open source dependencies

These are the packages that would block your engineering org if they disappeared tomorrow. Start with what's in your production lock files.

Step 2 — Score each dependency on 5 dimensions

2 Score each top-20 dep on 5 dimensions

Per dep, score 1 (low) / 2 (medium) / 3 (high risk) on each dimension. Sum the scores. Anything ≥10 is critical.

Dimension 1 (low) 2 (med) 3 (high)
Bus factor3+21
Dormancy (last commit)< 30d30-180d> 180d
Sponsorship statusFundedSolo, activeSolo, no income
Explicit signalsNone flaggedMaintenance modeDeprecated / archived
Institutional backingFoundationCompanyPure solo

Step 3 — Sponsor the bus-factor-1 maintainers

3 Sponsor the high-risk maintainers

$100/month changes the calculus. Tidelift's 2024 data: paid maintainers don't quit at the same rate as unpaid ones. Even one $100/mo sponsorship is a signal.

Step 4 — Make contributing back a team policy

4 Make contributing back a team policy

One PR a quarter per critical dependency builds bus factor 2+ on the projects you depend on. Start small — typo fixes count.

Step 5 — Track risk quarterly

5 Make open source risk a quarterly metric

Most engineering orgs track vendor risk. Open source is the same kind of dependency. Treat it the same way.

Summary scorecard

After completing the 5 steps, fill this in:

Want a free audit of your actual org?

Paste your GitHub org, get a real report with your top 20 deps scored.

Run free audit →

BreakPoint · Where abandoned projects get a second life · breakpoint.network