Dubbed the Census Project the initiative has been finding an embarrassing number of flaws in common core Linux system utilities that have network access. Some of them have nowhere near enough development relative to their importance.
A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
High scores in the survey, said the CII in its page on the project, don't mean a given program should be ditched, or that it's to be presumed vulnerable. Rather, it means "the project may not be getting the attention that it deserves and that it merits further investigation."
For example Apache's https Web server, a large and "vitally important" project with many vulnerabilities tracked over the years, ranked as an 8 in part because "there's already large development & review team in place."
Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
However complications posed by dependencies between projects can create a security mess. The libaprutil1-ldap project has a score of 8 with a note that "the general Apache Portable Runtime (APR) appears to be actively maintained. However, it's not as clear that the LDAP library in it is as actively managed."
Likewise, anything that uses the Kerberos authentication system can be problematic.
All this is a move away from sponsoring known-broken projects or those visibly in jeopardy such as OpenSSL, the Network Time Protocol, and GnuPG.