Reducing the time taken to discover and fix vulnerabilities in open source software projects is increasingly relevant to technology entrepreneurs and technology managers at all levels of industry. Rigorous research requires access to valid and reliable data on when vulnerabilities were introduced, discovered, and closed. This article offers three contributions about measurement and data availability: (1) an approach to measuring the time to discover and time to fix vulnerabilities in open source software projects, (2) evidence that combining project release histories and metrics from two online databases can provide reliable proxy dates for vulnerability introduction and fix, but not discovery, and (3) possible technical and open collaboration solutions to the data availability limitations of current databases. These results were part of a larger mixed-method study on the relationship between open source project and community attributes and software vulnerabilities with a data set of 1268 vulnerabilities affecting the software produced by 60 open source projects.

dx.doi.org/10.23919/PICMET.2018.8481833
2018 Portland International Conference on Management of Engineering and Technology, PICMET 2018
Sprott School of Business

Muegge, S, & Murshed, S.M.M. (S. M. Monzur). (2018). Time to discover and fix software vulnerabilities in open source software projects: Notes on measurement and data availability. In PICMET 2018 - Portland International Conference on Management of Engineering and Technology: Managing Technological Entrepreneurship: The Engine for Economic Growth, Proceedings. doi:10.23919/PICMET.2018.8481833