OSS study: 9 key contributors drive 14% of cross-community work in 464 projects

A new academic paper analyzing the open-source software (OSS) ecosystem of cybersecurity projects reveals that cross-community collaboration is sustained by a remarkably thin 'carrier layer' — just nine individuals who span seven or more communities at the commit level. These nine contributors authored 14% of all inter-community merged pull requests among 464 projects and 11,372 contributors studied over the period October 2001 to May 2022. The top 50 cross-community contributors produced 54% of such work. The study, from researchers including Lucia Gomez Tejeiro and Thomas Maillart, used the Rawsec Cybersecurity Inventory and Louvain community detection to identify 163 non-singleton communities. Community formation followed a logistic trajectory, saturating around 2018, and per-community contributor count scaled superlinearly (n_contributors ~ n_repos^1.4).

The research also quantifies 'boundary friction' as a recognition cost: inter-community pull-request acceptance rises from 42% when a contributor has breadth k=1 to 87% at k=5-9, while median latency compresses from 147 hours to 49 hours. Community survival is cohort-structured, with residualisation hazard rising tenfold between pre-2010 and 2018 cohorts. External community reach predicts survival mainly through size, leaving late cohorts under-served despite a stable carrier layer. The authors note the corpus predates mainstream LLM coding assistants, so this baseline of carrier-layer thinness and friction gradient informs how AI-mediated OSS ecosystems should not optimise away essential human recognition dynamics.