Open Source Vulnerability Notification - Open Source Systems
Conference Papers Year : 2019

Open Source Vulnerability Notification

Kevin Leach
  • Function : Author
  • PersonId : 1055476
Meiyappan Nagappan
  • Function : Author
  • PersonId : 1055477
Atul Prakash
  • Function : Author
  • PersonId : 1055478

Abstract

The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.
Fichier principal
Vignette du fichier
484969_1_En_2_Chapter.pdf (199.5 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-02305712 , version 1 (04-10-2019)

Licence

Identifiers

Cite

Brandon Carlson, Kevin Leach, Darko Marinov, Meiyappan Nagappan, Atul Prakash. Open Source Vulnerability Notification. 15th IFIP International Conference on Open Source Systems (OSS), May 2019, Montreal, QC, Canada. pp.12-23, ⟨10.1007/978-3-030-20883-7_2⟩. ⟨hal-02305712⟩
107 View
140 Download

Altmetric

Share

More