{"title":"关于漏洞管理和平台安全功能的开源软件维护者混合方法研究","authors":"Jessy Ayala, Yu-Jye Tung, Joshua Garcia","doi":"arxiv-2409.07669","DOIUrl":null,"url":null,"abstract":"In open-source software (OSS), software vulnerabilities have significantly\nincreased. Although researchers have investigated the perspectives of\nvulnerability reporters and OSS contributor security practices, understanding\nthe perspectives of OSS maintainers on vulnerability management and platform\nsecurity features is currently understudied. In this paper, we investigate the\nperspectives of OSS maintainers who maintain projects listed in the GitHub\nAdvisory Database. We explore this area by conducting two studies: identifying\naspects through a listing survey ($n_1=80$) and gathering insights from\nsemi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find\nthat supply chain mistrust and lack of automation for vulnerability management\nare the most challenging, and barriers to adopting platform security features\ninclude a lack of awareness and the perception that they are not necessary.\nSurprisingly, we find that despite being previously vulnerable, some\nmaintainers still allow public vulnerability reporting, or ignore reports\naltogether. Based on our findings, we discuss implications for OSS platforms\nand how the research community can better support OSS vulnerability management\nefforts.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features\",\"authors\":\"Jessy Ayala, Yu-Jye Tung, Joshua Garcia\",\"doi\":\"arxiv-2409.07669\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In open-source software (OSS), software vulnerabilities have significantly\\nincreased. Although researchers have investigated the perspectives of\\nvulnerability reporters and OSS contributor security practices, understanding\\nthe perspectives of OSS maintainers on vulnerability management and platform\\nsecurity features is currently understudied. In this paper, we investigate the\\nperspectives of OSS maintainers who maintain projects listed in the GitHub\\nAdvisory Database. We explore this area by conducting two studies: identifying\\naspects through a listing survey ($n_1=80$) and gathering insights from\\nsemi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find\\nthat supply chain mistrust and lack of automation for vulnerability management\\nare the most challenging, and barriers to adopting platform security features\\ninclude a lack of awareness and the perception that they are not necessary.\\nSurprisingly, we find that despite being previously vulnerable, some\\nmaintainers still allow public vulnerability reporting, or ignore reports\\naltogether. Based on our findings, we discuss implications for OSS platforms\\nand how the research community can better support OSS vulnerability management\\nefforts.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-12\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.07669\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.07669","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features
In open-source software (OSS), software vulnerabilities have significantly
increased. Although researchers have investigated the perspectives of
vulnerability reporters and OSS contributor security practices, understanding
the perspectives of OSS maintainers on vulnerability management and platform
security features is currently understudied. In this paper, we investigate the
perspectives of OSS maintainers who maintain projects listed in the GitHub
Advisory Database. We explore this area by conducting two studies: identifying
aspects through a listing survey ($n_1=80$) and gathering insights from
semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find
that supply chain mistrust and lack of automation for vulnerability management
are the most challenging, and barriers to adopting platform security features
include a lack of awareness and the perception that they are not necessary.
Surprisingly, we find that despite being previously vulnerable, some
maintainers still allow public vulnerability reporting, or ignore reports
altogether. Based on our findings, we discuss implications for OSS platforms
and how the research community can better support OSS vulnerability management
efforts.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
