Who are Vulnerability Reporters? A Large-scale Empirical Study on FLOSS (ESEM 2021 - Technical Papers)

Who

Nikolaos Alexopoulos, Andy Meneely, Dorian Arnouts, Max Mühlhäuser

Track

ESEM 2021 Technical Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 12 Oct 2021 16:00 - 16:15 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci

Abstract

Background. Software vulnerabilities pose a serious threat to the security of computer systems. Hence, there is a constant race for defenders to find and patch them before attackers are able to exploit them. Measuring different aspects of this process is important in order to better understand it and improve the odds for defenders.

Aims. The human factor of the vulnerability discovery and patching process has received limited attention. Better knowledge of the characteristics of the people and organizations who discover and report security vulnerabilities can considerably enhance our understanding of the process, provide insights regarding the expended effort in vulnerability hunting, contribute to better security metrics, and help guide practical decisions regarding the strategy of projects to attract vulnerability researchers.

Method. In this paper, we present what is, to the best of our knowledge, the first large-scale empirical study on the people and organizations who report vulnerabilities in popular FLOSS projects. Collecting data from a multitude of publicly available sources (NVD, bug-tracking platforms, vendor advisories, source code repositories), we create a dataset of reporter information for 2193 unique reporting entities of 4756 CVEs affecting the Mozilla suite, Apache httpd, the PHP interpreter, and the Linux kernel. We use the dataset to investigate several aspects of the vulnerability discovery process, specifically regarding the distribution of contributions, their temporal characteristics, and the motivations of reporters.

Results. Among our results: around 80% of reports come from 20% of reporters; first time reporters are significant contributors to the yearly total in all 4 projects; productive reporters are specialized w.r.t. the project and vulnerability types; around half of all reports come from reporters acknowledging an affiliation.

Conclusions. Projects depend both on a core of dedicated and productive reporters, and on small contributions from a large number of community reporters. The generalized Pareto principle (the (1 - p)/p law) can be used as a metric for the concentration of contributions in the vulnerability-reporting ecosystem of a project.

Link to Preprint

https://fileserver.tk.informatik.tu-darmstadt.de/Publications/2021/alexopoulos2021reporters.pdf

Nikolaos Alexopoulos

Technical University of Darmstadt

Germany

Andy Meneely

Rochester Institute of Technology

United States

Dorian Arnouts

Technical University of Darmstadt

Germany

Max Mühlhäuser

Technical University of Darmstadt

Germany

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Tue 12 Oct
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

15:30 - 16:35	Testing & Security 2Technical Papers / Emerging Results and Vision papers at ESEM ROOM Chair(s): Davide Fucci Blekinge Institute of Technology

15:30 15m Talk		Barriers to Shift-Left Security: The Unique Pain Points of Writing Automated Tests Involving Security Controls Technical Papers Danielle Gonzalez Rochester Institute of Technology and Microsoft, Paola Peralta Perez Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology DOI
15:45 15m Talk		Security Smells Pervade Mobile App Servers Technical Papers Pascal Gadient University of Bern, Marc-Andrea Tarnutzer University of Bern, Oscar Nierstrasz University of Bern, Switzerland, Mohammad Ghafari University of Auckland Pre-print
16:00 15m Talk		Who are Vulnerability Reporters? A Large-scale Empirical Study on FLOSS Technical Papers Nikolaos Alexopoulos Technical University of Darmstadt, Andy Meneely Rochester Institute of Technology, Dorian Arnouts Technical University of Darmstadt, Max Mühlhäuser Technical University of Darmstadt Pre-print
16:15 10m Talk		Python Crypto Misuses in the Wild Emerging Results and Vision papers Anna-Katharina Wickert TU Darmstadt, Germany, Lars Baumgärtner TU Darmstadt, Florian Breitfelder TU Darmstadt, Mira Mezini TU Darmstadt, Germany Pre-print Media Attached
16:25 10m Talk		Web Application Testing: Using Tree Kernels to Detect Near-duplicate States in Automated Model Inference Emerging Results and Vision papers Anna Corazza Università degli Studi di Napoli Federico II, Sergio Di Martino Università degli Studi di Napoli Federico II, Adriano Peron Università degli Studi di Napoli Federico II, Luigi Libero Lucio Starace Università degli Studi di Napoli Federico II Pre-print Media Attached

Information for Participants

Tue 12 Oct 2021 15:30 - 16:35 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci

Info for room ESEM ROOM:

https://www.youtube.com/c/ESEM_Conference