GitHub recommends that projects adopt a SECURITY.md file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that SECURITY.md files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to SECURITY.md. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including SECURITY.md. Our analysis revealed that 79.5% of SECURITY.md-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

An Empirical Study of Security-Policy Related Issues in Open Source Projects

  • Rintaro Kanaji,
  • Brittany Reid,
  • Yutaro Kashiwa,
  • Raula Gaikovina Kula,
  • Hajimu Iida

摘要

GitHub recommends that projects adopt a SECURITY.md file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that SECURITY.md files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to SECURITY.md. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including SECURITY.md. Our analysis revealed that 79.5% of SECURITY.md-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.