Open source software projects assume that “many eyes makes all bugs shallow.” However, the recent heartbleed vulnerability in OpenSSL revealed that showstopper bugs can exists for years.
Your paper would look at the biggest, most used open source software projects (like OpenSSL), and examine their development practices. For example, in OpenSSL, there is no proper intermediate code review step in between “random coder commits code” and “code goes out to the world.” In contrast, Chromium has a review step that the original author is completely excluded from, where multiple people read the code.
Once you have categorized review practices, you will examine the number of severe vulnerabilities that have made it past the review and been deployed to the world.
Sadly I can’t see a way to do randomized trials of software development. Coders are expensive and there are only a few projects that are as important and high-stakes as OpenSSL.