TY - GEN
T1 - Open Source Vulnerability Notification
AU - Carlson, Brandon
AU - Leach, Kevin
AU - Marinov, Darko
AU - Nagappan, Meiyappan
AU - Prakash, Atul
N1 - Funding Information:
We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.
Funding Information:
Acknowledgments. We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.
PY - 2019
Y1 - 2019
N2 - The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.
AB - The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.
KW - Open source
KW - Security disclosure
KW - Vulnerable dependency
UR - http://www.scopus.com/inward/record.url?scp=85068989875&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85068989875&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-20883-7_2
DO - 10.1007/978-3-030-20883-7_2
M3 - Conference contribution
AN - SCOPUS:85068989875
SN - 9783030208820
T3 - IFIP Advances in Information and Communication Technology
SP - 12
EP - 23
BT - Open Source Systems - 15th IFIP WG 2.13 International Conference, OSS 2019, Proceedings
A2 - Bordeleau, Francis
A2 - Sillitti, Alberto
A2 - Meirelles, Paulo
A2 - Lenarduzzi, Valentina
PB - Springer New York LLC
T2 - 15th International Conference on Open Source Systems, OSS 2019
Y2 - 26 May 2019 through 27 May 2019
ER -