The Scrutiny Gradient: A Mean-Field Survey of Security Commits, CVEs, and Dossiers in 22 Linux Base-System Repositories

Bommarito, M. J., II (2026). The Scrutiny Gradient: A Mean-Field Survey of Security Commits, CVEs, and Dossiers in 22 Linux Base-System Repositories. Working paper (draft). Draft manuscript (2026-04-22 revision freeze). A mean-field survey of 1,139,828 commits across 22 Linux base-system repositories. Headline: 2.03% of commits carry security signal; only 5.6% of those acquire a CVE; the kernel-specific non-CVE-to-CVE ratio is 56:1. 77.6% of CVE'd fixes land on or before public disclosure; bugs live a median of 4.7 years before a fix lands; and a naive Linux-kernel NVD query is 44.5% contaminated by wrong-product records (Adobe Flash, IBM middleware, Chrome, V8, etc.) while Spectre and Meltdown do not appear under the kernel CPE at all. Since February 2024 the Linux kernel CNA has issued 6,239 records; only 226 carry a downstream dossier. The integrated commit-keyed corpus is released alongside the paper: 1,418 in-scope CVE dossiers, 1,138 hard-negative scope-audit records, and 19,705 non-CVE security-signal kernel commits. CVE-based measurement captures roughly 1 in 20 security fixes..