An Empirical Study of Security-Policy Related Issues in Open Source Projects
- URL: http://arxiv.org/abs/2510.05604v2
- Date: Thu, 16 Oct 2025 05:53:49 GMT
- Title: An Empirical Study of Security-Policy Related Issues in Open Source Projects
- Authors: Rintaro Kanaji, Brittany Reid, Yutaro Kashiwa, Raula Gaikovina Kula, Hajimu Iida,
- Abstract summary: GitHub recommends that projects adopt a security file that outlines vulnerability reporting procedures.<n>This study aims to clarify the challenges that security files face in the vulnerability reporting process within open-source communities.
- Score: 1.334459247781299
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: GitHub recommends that projects adopt a security file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that security files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to security files. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including security files. Our analysis revealed that 79.5% of security file-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.
Related papers
- ORCA -- An Automated Threat Analysis Pipeline for O-RAN Continuous Development [57.61878484176942]
Open-Radio Access Network (O-RAN) integrates numerous software components in a cloud-like deployment, opening the radio access network to previously unconsidered security threats.<n>Current vulnerability assessment practices often rely on manual, labor-intensive, and subjective investigations, leading to inconsistencies in the threat analysis.<n>We propose an automated pipeline that leverages Natural Language Processing (NLP) to minimize human intervention and associated biases.
arXiv Detail & Related papers (2026-01-20T07:31:59Z) - S3C2 SICP Summit 2025-06: Vulnerability Response Summit [51.90004414779634]
Researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit.<n>The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security.
arXiv Detail & Related papers (2025-12-02T10:05:41Z) - DeepResearchGuard: Deep Research with Open-Domain Evaluation and Multi-Stage Guardrails for Safety [55.30944259390733]
Deep research frameworks typically overlook crucial aspects of report quality such as credibility, coherence, breadth, depth, and safety.<n>We introduce DEEPRESEARCHGUARD, a comprehensive framework featuring four-stage safeguards with open-domain evaluation of references and reports.<n>Our evaluation spans diverse state-of-the-art LLMs, including GPT-4o, Gemini-2.5-flash, DeepSeek-v3, and o4-mini.
arXiv Detail & Related papers (2025-10-13T04:11:21Z) - FORGE: An LLM-driven Framework for Large-Scale Smart Contract Vulnerability Dataset Construction [34.20628333535654]
FORGE is the first automated approach for constructing smart contract vulnerability datasets.<n>We generate a dataset comprising 81,390 solidity files and 27,497 vulnerability findings across 296 CWE categories.<n>Results reveal the significant limitations in current detection capabilities.
arXiv Detail & Related papers (2025-06-23T16:03:16Z) - Beyond Jailbreaking: Auditing Contextual Privacy in LLM Agents [43.303548143175256]
This study proposes an auditing framework for conversational privacy that quantifies an agent's susceptibility to risks.<n>The proposed Conversational Manipulation for Privacy Leakage (CMPL) framework is designed to stress-test agents that enforce strict privacy directives.
arXiv Detail & Related papers (2025-06-11T20:47:37Z) - "I wasn't sure if this is indeed a security risk": Data-driven Understanding of Security Issue Reporting in GitHub Repositories of Open Source npm Packages [8.360992461585308]
This work collected 10,907,467 issues reported across GitHub repositories of 45,466 diverse npm packages.<n>We found that the tags associated with these issues indicate the existence of only 0.13% security-related issues.<n>Our approach of manual analysis followed by developing high accuracy machine learning models identify 1,617,738 security-related issues which are not tagged as security-related.
arXiv Detail & Related papers (2025-06-09T13:11:35Z) - When GPT Spills the Tea: Comprehensive Assessment of Knowledge File Leakage in GPTs [39.885773438374095]
We present a comprehensive risk assessment of knowledge file leakage, leveraging a novel workflow inspired by Data Security Posture Management (DSPM)<n>Through the analysis of 651,022 GPT metadata, 11,820 flows, and 1,466 responses, we identify five leakage vectors.<n>These vectors enable adversaries to extract sensitive knowledge file data such as titles, content, types, and sizes.
arXiv Detail & Related papers (2025-05-30T20:08:08Z) - LongSafety: Evaluating Long-Context Safety of Large Language Models [95.2469116388522]
LongSafety is the first benchmark designed to evaluate safety in open-ended long-context tasks.<n>Our evaluation reveals significant safety vulnerabilities, with most models achieving safety rates below 55%.<n>Our findings emphasize the unique challenges and urgency of improving long-context safety.
arXiv Detail & Related papers (2025-02-24T08:54:39Z) - On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub [1.7174932174564534]
Open-source projects are essential to software development, but publicly disclosing vulnerabilities without fixes increases the risk of exploitation.<n>The Open Source Security Foundation (OpenSSF) addresses this issue by promoting robust security policies to enhance project security.<n>Current research reveals that many projects perform poorly on OpenSSF criteria, indicating a need for stronger security practices.
arXiv Detail & Related papers (2025-02-11T09:23:24Z) - Investigating Vulnerability Disclosures in Open-Source Software Using Bug Bounty Reports and Security Advisories [6.814841205623832]
We conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports.<n>We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports.
arXiv Detail & Related papers (2025-01-29T16:36:41Z) - Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects.
We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks.
Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
arXiv Detail & Related papers (2024-08-26T13:46:48Z) - Characterising Contributions that Coincide with Vulnerability Mitigation in NPM Libraries [10.975379354505318]
We analyze NPM GitHub projects affected by 554 different vulnerability advisories, mining a total of 4,699 coinciding PRs and Issues.
We believe that tool development and improved workload management for developers have the potential to create a more efficient and effective vulnerability mitigation process.
arXiv Detail & Related papers (2024-06-17T09:33:08Z) - Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart Contracts [35.26195628798847]
Existing vulnerability detection tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts.
SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.
arXiv Detail & Related papers (2024-03-17T16:08:30Z) - Profile of Vulnerability Remediations in Dependencies Using Graph
Analysis [40.35284812745255]
This research introduces graph analysis methods and a modified Graph Attention Convolutional Neural Network (GAT) model.
We analyze control flow graphs to profile breaking changes in applications occurring from dependency upgrades intended to remediate vulnerabilities.
Results demonstrate the effectiveness of the enhanced GAT model in offering nuanced insights into the relational dynamics of code vulnerabilities.
arXiv Detail & Related papers (2024-03-08T02:01:47Z) - Communicating on Security within Software Development Issue Tracking [0.0]
We analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring.
Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS.
This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.
arXiv Detail & Related papers (2023-08-25T16:38:27Z) - Leveraging Traceability to Integrate Safety Analysis Artifacts into the
Software Development Process [51.42800587382228]
Safety assurance cases (SACs) can be challenging to maintain during system evolution.
We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models.
We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
arXiv Detail & Related papers (2023-07-14T16:03:27Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.