Most developers don’t understand (or use) CVE scores. Their dependency selection criteria are generally feature-based, with maybe a nod towards licencing. Can we teach developers to choose safer software in deterministic and realistic ways? In this talk, we’ll cover emerging industry ideas about ways to evaluate open-source projects that will connect with both developers and IT. Choosing wisely might be possible after all.