Look at what these OSS POCs provide and effort to bake into CE+ - also does it feed into risk metric for EE?

https://docs.google.com/presentation/d/1t48r-E-vfTqGJNGOiSZMhrq8e595Xg7s7tERfpXAy1E/edit#slide=id.ga8931ef4a1_0_0

https://github.com/ossf/wg-identifying-security-threats

https://github.com/ossf/security-reviews

https://github.com/ossf/Project-Security-Metrics