Investigating The Vulnerability Fixing Process In Oss Projects: Peculiarities And Challenges

Although vulnerabilities can be considered and treated as bugs, they present numerous pe-culiarities compared to other types of bugs (canonical bugs in the remainder of the paper). A vulnerability adds functionality to a system, as it allows an adversary to misuse or abuse the system, while a canonical bug is an incomplete or incorrect implementation of a requirement, and thus degrades the functionality of the system. This difference can affect the fixing process of vulnerabilities. By mining the repositories of 6 open source projects, we characterize the differences in the fixing process between vulnerabilities and canonical bugs, highlighting critical issues which could represent challenges for future research. Results of our study demonstrate that: (i) more re-assignments (than the ones observed in canonical bugs) are required for finding the developers able to handle vulnerability-related bugs, (ii) developers' security-related skills should be profiled, to improve the efficiency of the security bug assignment tasks, and, consequently, reduce the re-assignments, and (iii) vulnerabilities require more effort, contributors and time to define the fixing strategy but smaller time to fix than canonical bugs. (C) 2020 Elsevier Ltd. All rights reserved.