PROFES 2025 (series) / Short Papers and Posters /
An Empirical Study of Security-Policy Related Issues in Open Source Projects
Wed 3 Dec 2025 12:47 - 12:54 at Sala degli Affreschi (Fresco Room) - Software Composition, Compliance, and Security Chair(s): Eriks Klotins
Wed 3 Dec 2025 14:00 - 14:30 at Sala Espositiva (Exhibition Hall) - Poster Session 2
Wed 3 Dec 2025 14:00 - 14:30 at Sala Espositiva (Exhibition Hall) - Poster Session 2
GitHub recommends that projects adopt a SECURITY.md file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that SECURITY.md files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to SECURITY.md. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including SECURITY.md. Our analysis revealed that 79.5% of SECURITY.md-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.
| An Empirical Study of Security-Policy Related Issues in Open Source Projects (Slides) (PROFES_slide_RintaroKanaji.pdf) | 10.5MiB |
Wed 3 DecDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
Wed 3 Dec
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
11:30 - 13:00 | Software Composition, Compliance, and SecurityResearch Papers / Short Papers and Posters / Industry Papers at Sala degli Affreschi (Fresco Room) Chair(s): Eriks Klotins Blekinge Institute of Technology | ||
11:30 15mTalk | AI Alignment for Ethical Compliance and Risk Mitigation in Industrial Applications Research Papers Rushali Gupta Lund University, Qunying Song University College London, Matthias Wagner Lund University, Emelie Engstrom Lund University, Emma Söderberg Lund University, Markus Borg CodeScene, Per Runeson Lund University | ||
11:45 15mTalk | FOSS-chain: using blockchain for Open Source Software license compliance Research Papers Kypros Iacovou University of Cyprus, Georgia Kapitsaki University of Cyprus, Evangelia Vanezi University of Cyprus File Attached | ||
12:00 15mTalk | Pipelines Under Pressure: An Empirical Study of Security Misconfigurations of GitHub Workflows Research Papers Edoardo Riggio Software Institute - USI, Lugano, Cesare Pautasso Software Institute, Faculty of Informatics, USI Lugano DOI | ||
12:15 15mTalk | Policy-driven Software Bill of Materials on GitHub: An Empirical Study Research Papers Oleksii Novikov Blekinge Institute of Technology, Davide Fucci Blekinge Institute of Technology, Oleksandr Adamov Blekinge Institute of Technology, Daniel Mendez Blekinge Institute of Technology and fortiss | ||
12:30 10mTalk | Cross-Domain Evaluation of Transformer-Based Vulnerability Detection on Open & Industry Data Industry Papers Moritz Mock Free University of Bozen-Bolzano, Thomas Forrer Wurth Phoenix S.r.l., Barbara Russo Free University of Bolzano DOI Pre-print File Attached | ||
12:40 7mTalk | Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem Short Papers and Posters Napasorn Tevarut Kasetsart University, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Pattara Leelaprute Kasetsart University, Arnon Rungsawang Kasetsart University, Bundit Manaskasemsak Kasetsart University, Hajimu Iida Nara Institute of Science and Technology File Attached | ||
12:47 7mTalk | An Empirical Study of Security-Policy Related Issues in Open Source Projects Short Papers and Posters Rintaro Kanaji Nara Institute of Science and Technology, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Raula Gaikovina Kula The University of Osaka, Hajimu Iida Nara Institute of Science and Technology File Attached | ||
14:00 - 14:30 | |||
14:00 30mTalk | Enhancing Regulation-Adherent Requirement Engineering with Contextual AI: An industrial study Industry Papers Orhan Sirin Solita Oy, Malik Sami Tampere University, Tuomas Granlund Solita Oy, Jussi Rasku Tampere University, Zheying Zhang Tampere University, Pekka Abrahamsson Tampere University | ||
14:00 30mTalk | An Empirical Study of Security-Policy Related Issues in Open Source Projects Short Papers and Posters Rintaro Kanaji Nara Institute of Science and Technology, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Raula Gaikovina Kula The University of Osaka, Hajimu Iida Nara Institute of Science and Technology File Attached | ||
14:00 30mTalk | Towards Understanding the Developer Experience in Quantum Software Development Short Papers and Posters Ronja Heikkinen University of Jyväskylä, Majid Haghparast University of Jyväskylä, Tommi Mikkonen University of Jyvaskyla | ||