From 7513c9f3b154baa80893602aa1a191be0a47f4ab Mon Sep 17 00:00:00 2001
From: Alexander Bayandin <a.bayandin@gmail.com>
Date: Tue, 29 Jun 2021 11:57:27 +0100
Subject: [PATCH] Acceptable-Formulae: quote from Veracode report

---
 docs/Acceptable-Formulae.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/Acceptable-Formulae.md b/docs/Acceptable-Formulae.md
index 9401deefa6..c970835bca 100644
--- a/docs/Acceptable-Formulae.md
+++ b/docs/Acceptable-Formulae.md
@@ -73,7 +73,8 @@ Clang is the default C/C++ compiler on macOS (and has been for a long time). Sof
 We're a package manager so we want to do things like resolve dependencies and set up applications for our users. If things require too much manual intervention then they aren't useful in a package manager.
 
 ## Stuff that requires vendored versions of Homebrew formulae
-Homebrew formulae should avoid having multiple, separate, upstream projects bundled together in a single package to avoid shipping outdated/insecure versions of software that is already a formula.
+Homebrew formulae should avoid having multiple, separate, upstream projects bundled together in a single package to avoid shipping outdated/insecure versions of software that is already a formula. Veracode's [State of Software Security report](https://www.veracode.com/blog/research/announcing-state-software-security-v11-open-source-edition) concludes
+> In fact, 79% of the time, developers never update third-party libraries after including them in a codebase.
 
 For more info see [Debian's](https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles) and [Fedora's](https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling) stances on this.