Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures
Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks....
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2024-11 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Yi Wen Heng Ma, Zeyang Zhang, Haoxiang Li, Zhenhao Tse-Hsun Chen |
| description | Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_3128034342</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3128034342</sourcerecordid><originalsourceid>FETCH-proquest_journals_31280343423</originalsourceid><addsrcrecordid>eNqNjM0KgkAYAJcgSMp3WOgsrLta3q3o1KGkq6z6CSvbfrU_iW9fQg_QaQ4zzIJEXIg0KTLOVyR2bmCM8d2e57mIyOWgXItvsBPFnlbqAVoZoNJ0tLQ4dvQKsvUKzaxv2PtRWqD3oA1Y2Sit_ETnhUYXLLgNWfZSO4h_XJPt6ViV5-Rp8RXA-XrAYM1X1SLlBROZyLj4r_oA6vY-dA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3128034342</pqid></control><display><type>article</type><title>Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures</title><source>Free E- Journals</source><creator>Yi Wen Heng ; Ma, Zeyang ; Zhang, Haoxiang ; Li, Zhenhao ; Tse-Hsun ; Chen</creator><creatorcontrib>Yi Wen Heng ; Ma, Zeyang ; Zhang, Haoxiang ; Li, Zhenhao ; Tse-Hsun ; Chen</creatorcontrib><description>Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Libraries ; Software development ; Software reliability ; Software upgrading ; Third party</subject><ispartof>arXiv.org, 2024-11</ispartof><rights>2024. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>780,784</link.rule.ids></links><search><creatorcontrib>Yi Wen Heng</creatorcontrib><creatorcontrib>Ma, Zeyang</creatorcontrib><creatorcontrib>Zhang, Haoxiang</creatorcontrib><creatorcontrib>Li, Zhenhao</creatorcontrib><creatorcontrib>Tse-Hsun</creatorcontrib><creatorcontrib>Chen</creatorcontrib><title>Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures</title><title>arXiv.org</title><description>Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.</description><subject>Libraries</subject><subject>Software development</subject><subject>Software reliability</subject><subject>Software upgrading</subject><subject>Third party</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNqNjM0KgkAYAJcgSMp3WOgsrLta3q3o1KGkq6z6CSvbfrU_iW9fQg_QaQ4zzIJEXIg0KTLOVyR2bmCM8d2e57mIyOWgXItvsBPFnlbqAVoZoNJ0tLQ4dvQKsvUKzaxv2PtRWqD3oA1Y2Sit_ETnhUYXLLgNWfZSO4h_XJPt6ViV5-Rp8RXA-XrAYM1X1SLlBROZyLj4r_oA6vY-dA</recordid><startdate>20241119</startdate><enddate>20241119</enddate><creator>Yi Wen Heng</creator><creator>Ma, Zeyang</creator><creator>Zhang, Haoxiang</creator><creator>Li, Zhenhao</creator><creator>Tse-Hsun</creator><creator>Chen</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20241119</creationdate><title>Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures</title><author>Yi Wen Heng ; Ma, Zeyang ; Zhang, Haoxiang ; Li, Zhenhao ; Tse-Hsun ; Chen</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_31280343423</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Libraries</topic><topic>Software development</topic><topic>Software reliability</topic><topic>Software upgrading</topic><topic>Third party</topic><toplevel>online_resources</toplevel><creatorcontrib>Yi Wen Heng</creatorcontrib><creatorcontrib>Ma, Zeyang</creatorcontrib><creatorcontrib>Zhang, Haoxiang</creatorcontrib><creatorcontrib>Li, Zhenhao</creatorcontrib><creatorcontrib>Tse-Hsun</creatorcontrib><creatorcontrib>Chen</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Yi Wen Heng</au><au>Ma, Zeyang</au><au>Zhang, Haoxiang</au><au>Li, Zhenhao</au><au>Tse-Hsun</au><au>Chen</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures</atitle><jtitle>arXiv.org</jtitle><date>2024-11-19</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2024-11 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_3128034342 |
| source | Free E- Journals |
| subjects | Libraries Software development Software reliability Software upgrading Third party |
| title | Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-06T10%3A58%3A39IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Discovery%20of%20Timeline%20and%20Crowd%20Reaction%20of%20Software%20Vulnerability%20Disclosures&rft.jtitle=arXiv.org&rft.au=Yi%20Wen%20Heng&rft.date=2024-11-19&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E3128034342%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3128034342&rft_id=info:pmid/&rfr_iscdi=true |