Make it clear many OSS projects have only 1 maintainer (#971)

Add citation.

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Georg Kunz <[email protected]>
Co-authored-by: Georg Kunz <[email protected]>

Author: david-a-wheeler

docs/Concise-Guide-for-Evaluating-Open-Source-Software.md

@@ -19,7 +19,7 @@ Unmaintained software is a risk; most software needs continuous maintenance. If
 |------|-------------|:--------:|
 | **Activity Level** | Confirm significant recent activity (e.g., commits) has occurred within the previous 12 months. |   |
 | **Communication** | Verify the existence of recent releases or announcements from the project maintainer(s). |   |
-| **Maintainer Diversity** | Verify the presence of more than one maintainer, ideally from different organizations, to reduce single-point-of-failure risk. |   |
+| **Maintainer Diversity** | Verify the presence of more than one maintainer, ideally from different organizations, to reduce single-point-of-failure risk. However, note that [many widely-used projects have one maintainer](https://opensourcesecurity.io/2025/08-oss-one-person/). |   |
 | **Release Recency** | Confirm that the last release was issued within the previous 12 months. |   |
 | **Version Stability** | Assess whether the version string indicates instability (e.g., begin with "0", include "alpha" or "beta", etc.). |   |