Open Source Vulnerability Notification

Brandon Carlson; Kevin Leach; Darko Marinov; Meiyappan Nagappan; Atul Prakash

doi:10.1007/978-3-030-20883-7_2

Open Source Vulnerability Notification

Brandon Carlson, Kevin Leach, Darko Marinov, Meiyappan Nagappan, Atul Prakash

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.

Original language	English (US)
Title of host publication	Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings
Editors	Francis Bordeleau, Alberto Sillitti, Paulo Meirelles, Valentina Lenarduzzi
Publisher	Springer New York LLC
Pages	12-23
Number of pages	12
ISBN (Print)	9783030208820
DOIs	https://doi.org/10.1007/978-3-030-20883-7_2
State	Published - 2019
Event	15th International Conference on Open Source Systems, OSS 2019 - Montreal, Canada Duration: May 26 2019 → May 27 2019

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	556
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	15th International Conference on Open Source Systems, OSS 2019
Country	Canada
City	Montreal
Period	5/26/19 → 5/27/19

Keywords

Open source
Security disclosure
Vulnerable dependency

ASJC Scopus subject areas

Information Systems
Computer Networks and Communications
Information Systems and Management

Access to Document

10.1007/978-3-030-20883-7_2

Fingerprint Dive into the research topics of 'Open Source Vulnerability Notification'. Together they form a unique fingerprint.

Cite this

Carlson, B., Leach, K., Marinov, D., Nagappan, M., & Prakash, A. (2019). Open Source Vulnerability Notification. In F. Bordeleau, A. Sillitti, P. Meirelles, & V. Lenarduzzi (Eds.), Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings (pp. 12-23). (IFIP Advances in Information and Communication Technology; Vol. 556). Springer New York LLC. https://doi.org/10.1007/978-3-030-20883-7_2

Open Source Vulnerability Notification. / Carlson, Brandon; Leach, Kevin; Marinov, Darko; Nagappan, Meiyappan; Prakash, Atul.

Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings. ed. / Francis Bordeleau; Alberto Sillitti; Paulo Meirelles; Valentina Lenarduzzi. Springer New York LLC, 2019. p. 12-23 (IFIP Advances in Information and Communication Technology; Vol. 556).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Carlson, B, Leach, K, Marinov, D, Nagappan, M & Prakash, A 2019, Open Source Vulnerability Notification. in F Bordeleau, A Sillitti, P Meirelles & V Lenarduzzi (eds), Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings. IFIP Advances in Information and Communication Technology, vol. 556, Springer New York LLC, pp. 12-23, 15th International Conference on Open Source Systems, OSS 2019, Montreal, Canada, 5/26/19. https://doi.org/10.1007/978-3-030-20883-7_2

Carlson B, Leach K, Marinov D, Nagappan M, Prakash A. Open Source Vulnerability Notification. In Bordeleau F, Sillitti A, Meirelles P, Lenarduzzi V, editors, Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings. Springer New York LLC. 2019. p. 12-23. (IFIP Advances in Information and Communication Technology). https://doi.org/10.1007/978-3-030-20883-7_2

Carlson, Brandon ; Leach, Kevin ; Marinov, Darko ; Nagappan, Meiyappan ; Prakash, Atul. / Open Source Vulnerability Notification. Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings. editor / Francis Bordeleau ; Alberto Sillitti ; Paulo Meirelles ; Valentina Lenarduzzi. Springer New York LLC, 2019. pp. 12-23 (IFIP Advances in Information and Communication Technology).

@inproceedings{cb55b34f32894715ba355c0cc86c6df8,

title = "Open Source Vulnerability Notification",

abstract = "The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.",

keywords = "Open source, Security disclosure, Vulnerable dependency",

author = "Brandon Carlson and Kevin Leach and Darko Marinov and Meiyappan Nagappan and Atul Prakash",

note = "Funding Information: We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916. Funding Information: Acknowledgments. We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.; 15th International Conference on Open Source Systems, OSS 2019 ; Conference date: 26-05-2019 Through 27-05-2019",

year = "2019",

doi = "10.1007/978-3-030-20883-7_2",

language = "English (US)",

isbn = "9783030208820",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "12--23",

editor = "Francis Bordeleau and Alberto Sillitti and Paulo Meirelles and Valentina Lenarduzzi",

booktitle = "Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings",

}

TY - GEN

T1 - Open Source Vulnerability Notification

AU - Carlson, Brandon

AU - Leach, Kevin

AU - Marinov, Darko

AU - Nagappan, Meiyappan

AU - Prakash, Atul

N1 - Funding Information: We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916. Funding Information: Acknowledgments. We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.

PY - 2019

Y1 - 2019

N2 - The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.

AB - The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.

KW - Open source

KW - Security disclosure

KW - Vulnerable dependency

UR - http://www.scopus.com/inward/record.url?scp=85068989875&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85068989875&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-20883-7_2

DO - 10.1007/978-3-030-20883-7_2

M3 - Conference contribution

AN - SCOPUS:85068989875

SN - 9783030208820

T3 - IFIP Advances in Information and Communication Technology

SP - 12

EP - 23

BT - Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings

A2 - Bordeleau, Francis

A2 - Sillitti, Alberto

A2 - Meirelles, Paulo

A2 - Lenarduzzi, Valentina

PB - Springer New York LLC

T2 - 15th International Conference on Open Source Systems, OSS 2019

Y2 - 26 May 2019 through 27 May 2019

ER -