




















In the world of open-source software (OSS), the number of known vulnerabilities has tremendously increased. The GitHub Advisory Database contains advisories for security risks in GitHub-hosted OSS projects. As of 09/25/2023, there are 197,609 unreviewed GitHub security advisories. Of those unreviewed, at least 63,852 are publicly documented vulnerabilities, potentially leaving many OSS projects vulnerable. Recently, bug bounty platforms have emerged to focus solely on providing bounties to help secure OSS. In this paper, we conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports, a perspective that is currently understudied, because they contain comprehensive information about security incidents, e.g., the nature of vulnerabilities, their impact, and how they were resolved. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back. This process uncovers how missing or delayed CVE assignments for OSS vulnerabilities result in projects, both in and out of OSS, not being notified of necessary security updates promptly and corresponding bottlenecks. Based on our findings, we provide suggestions, actionable items, and future research directions to help improve the security posture of OSS projects.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。