I created some plots from the data I collected for my research on correlating CVEs to Clean Code requirements.
Disclaimer: My n=19 is really low. The data is very probably not significant. It's part of a seminar, it just doesn't have the scope for a bigger data collection. I hope to do that for my masters thesis.
The first plot isn't really that surprising and just "confirms" the intuition, that more contributors catch more bugs.
The second is quite interesting. I may have a bias in there and just picked a lot of inactive projects for the projects without requirements (although projects like npm are in there), but it's still quite surprising for me that there is that big of a difference.
if we know about the exploits we can set up our security to prevent malware coming from them.