Write a Blog >>
ESEM 2021
Mon 11 - Fri 15 October 2021
Tue 12 Oct 2021 16:00 - 16:15 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci

Background. Software vulnerabilities pose a serious threat to the security of computer systems. Hence, there is a constant race for defenders to find and patch them before attackers are able to exploit them. Measuring different aspects of this process is important in order to better understand it and improve the odds for defenders.

Aims. The human factor of the vulnerability discovery and patching process has received limited attention. Better knowledge of the characteristics of the people and organizations who discover and report security vulnerabilities can considerably enhance our understanding of the process, provide insights regarding the expended effort in vulnerability hunting, contribute to better security metrics, and help guide practical decisions regarding the strategy of projects to attract vulnerability researchers.

Method. In this paper, we present what is, to the best of our knowledge, the first large-scale empirical study on the people and organizations who report vulnerabilities in popular FLOSS projects. Collecting data from a multitude of publicly available sources (NVD, bug-tracking platforms, vendor advisories, source code repositories), we create a dataset of reporter information for 2193 unique reporting entities of 4756 CVEs affecting the Mozilla suite, Apache httpd, the PHP interpreter, and the Linux kernel. We use the dataset to investigate several aspects of the vulnerability discovery process, specifically regarding the distribution of contributions, their temporal characteristics, and the motivations of reporters.

Results. Among our results: around 80% of reports come from 20% of reporters; first time reporters are significant contributors to the yearly total in all 4 projects; productive reporters are specialized w.r.t. the project and vulnerability types; around half of all reports come from reporters acknowledging an affiliation.

Conclusions. Projects depend both on a core of dedicated and productive reporters, and on small contributions from a large number of community reporters. The generalized Pareto principle (the (1 - p)/p law) can be used as a metric for the concentration of contributions in the vulnerability-reporting ecosystem of a project.

Tue 12 Oct

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

15:30 - 16:35
Testing & Security 2Technical Papers / Emerging Results and Vision papers at ESEM ROOM
Chair(s): Davide Fucci Blekinge Institute of Technology
15:30
15m
Talk
Barriers to Shift-Left Security: The Unique Pain Points of Writing Automated Tests Involving Security Controls
Technical Papers
Danielle Gonzalez Rochester Institute of Technology and Microsoft, Paola Peralta Perez Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology
DOI
15:45
15m
Talk
Security Smells Pervade Mobile App Servers
Technical Papers
Pascal Gadient University of Bern, Marc-Andrea Tarnutzer University of Bern, Oscar Nierstrasz University of Bern, Switzerland, Mohammad Ghafari University of Auckland
Pre-print
16:00
15m
Talk
Who are Vulnerability Reporters? A Large-scale Empirical Study on FLOSS
Technical Papers
Nikolaos Alexopoulos Technical University of Darmstadt, Andy Meneely Rochester Institute of Technology, Dorian Arnouts Technical University of Darmstadt, Max Mühlhäuser Technical University of Darmstadt
Pre-print
16:15
10m
Talk
Python Crypto Misuses in the Wild
Emerging Results and Vision papers
Anna-Katharina Wickert TU Darmstadt, Germany, Lars Baumgärtner TU Darmstadt, Florian Breitfelder TU Darmstadt, Mira Mezini TU Darmstadt, Germany
Pre-print Media Attached
16:25
10m
Talk
Web Application Testing: Using Tree Kernels to Detect Near-duplicate States in Automated Model Inference
Emerging Results and Vision papers
Anna Corazza Università degli Studi di Napoli Federico II, Sergio Di Martino Università degli Studi di Napoli Federico II, Adriano Peron Università degli Studi di Napoli Federico II, Luigi Libero Lucio Starace Università degli Studi di Napoli Federico II
Pre-print Media Attached

Information for Participants
Tue 12 Oct 2021 15:30 - 16:35 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci
Info for room ESEM ROOM:

https://www.youtube.com/c/ESEM_Conference