Open Source Vulnerability Notification

Brandon Carlson, Kevin Leach, Darko Marinov, Meiyappan Nagappan, Atul Prakash

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.

Original languageEnglish (US)
Title of host publicationOpen Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings
EditorsFrancis Bordeleau, Alberto Sillitti, Paulo Meirelles, Valentina Lenarduzzi
PublisherSpringer New York LLC
Number of pages12
ISBN (Print)9783030208820
StatePublished - 2019
Event15th International Conference on Open Source Systems, OSS 2019 - Montreal, Canada
Duration: May 26 2019May 27 2019

Publication series

NameIFIP Advances in Information and Communication Technology
ISSN (Print)1868-4238
ISSN (Electronic)1868-422X


Conference15th International Conference on Open Source Systems, OSS 2019


  • Open source
  • Security disclosure
  • Vulnerable dependency

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management

Fingerprint Dive into the research topics of 'Open Source Vulnerability Notification'. Together they form a unique fingerprint.

Cite this