Methodology

Every score on ossreplace is computed daily from public data with the formula visible. No vendor input, no editorial bias. Audit the inputs on any project page.

1. Project Health Score (0–100)

A weighted composite across six dimensions. Weights cited to peer-reviewed and industry-standard methodologies (CHAOSS Metrics Model, OpenSSF Scorecard, Snyk Open Source Advisor, Libraries.io SourceRank, Bus Factor research [Jabrayilzade et al., 2022]).

PROJECT_HEALTH = 0.20·Activity + 0.15·Maturity + 0.20·Community
               + 0.15·Security + 0.10·Sustainability + 0.20·Adoption

Activity (0.20 weight)

Recency of commits and breadth of contributors over the last 90 days.

A = 0.4·log10(commits_90d+1)/log10(500)·100
  + 0.3·max(0, 100 - days_since_last_commit·2)
  + 0.3·min(100, contributors_90d·5)

Maturity (0.15)

Project age, number of releases, semver discipline.

M = 0.3·min(100, age_years·25)
  + 0.4·min(100, total_releases·5)
  + 0.3·(100 if semver else 50 if has_releases else 0)

Community (0.20)

Issue resolution rate, PR merge rate, contributor diversity (bus-factor proxy).

Security (0.15)

CVE count, patch lag, security policy presence, signed releases. Pulled from OSV.dev daily.

Sustainability (0.10)

Funding signals (GitHub Sponsors, Open Collective), governance documents, bus factor.

Adoption (0.20)

Stars, forks, package downloads (NPM/PyPI/crates), Docker pulls — all log-scaled.

2. Self-Hosting Cost

We detect a project's minimum requirements via three-stage cascade:

1. docker-compose.yml resource reservations (most reliable)
2. README regex for "X GB RAM / disk" mentions
3. Default fallback: 1 GB RAM, 20 GB disk, 1 TB egress

Then we project those requirements onto current pricing for Hetzner Cloud, DigitalOcean, Vultr, and Linode. Pricing refreshed weekly from official APIs. Hetzner usually wins on cost. Bandwidth overage is included in the displayed monthly cost.

3. Self-Hosting Difficulty (1–5)

difficulty = 1
+ (1 if no docker-compose.yml in repo)
+ (1 if requires external DB setup)
+ (1 if requires reverse-proxy config)
+ (1 if requires OAuth/SMTP setup)
- (1 if has one-click deploy button)
clamp(1, 5)

4. Replacement Score (vs paid SaaS)

Embedding-based bipartite max-match. We embed both the paid SaaS feature list (scraped from their pricing page) and the OSS feature list (parsed from README). Each feature pair scored by cosine similarity, threshold 0.65. SSO/SAML/SOC-2/audit-logs/mobile-app missing in OSS get 2x weight penalty. Local sentence-transformers/all-MiniLM-L6-v2 model.

5. Migration Difficulty (1–5)

How painful to switch from the paid SaaS to this OSS alternative.

migration = 1
+ (1 if no documented export format)
+ (1 if no import tooling for the alternative)
+ (1 if proprietary data format)
+ (1 if requires paid tier to export)
clamp(1, 5)

Refresh cadence

• GitHub metadata, OSV advisories, HN/Reddit sentiment: daily
• Hosting provider pricing: weekly
• Composite scores: recomputed after every data refresh
• Page rebuilds: pushed to Cloudflare Pages on every data update

Citations

• CHAOSS Metrics Model — Starter Project Health (chaoss.community)
• OpenSSF Scorecard (github.com/ossf/scorecard)
• Libraries.io SourceRank methodology
• Snyk Open Source Advisor
• Jabrayilzade et al. — "Bus Factor In Practice" arXiv:2202.01523
• FOSS Sustainability and Software Quality (Empirical Software Engineering, 2024)