Game of detections: how are security vulnerabilities discovered in the wild?

There is little or no information available on what actually happens when a software vulnerability is detected. We performed an empirical study on reporters of the three most prominent security vulnerabilities: buffer overflow, SQL injection, and cross site scripting vulnerabilities. The goal was to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Empirical software engineering : an international journal Jg. 21; H. 5; S. 1920 - 1959
Hauptverfasser: Hafiz, Munawar, Fang, Ming
Format: Journal Article
Sprache:Englisch
Veröffentlicht: New York Springer US 01.10.2016
Springer Nature B.V
Schlagworte:
Communities
Compilers
Computer information security
Computer programs
Computer Science
Cybersecurity
Developers
Games
Interpreters
Programming Languages
Query languages
Repositories
Security
Software
Software Engineering/Programming and Operating Systems
Secure software engineering
Empirical study
Vulnerability
ISSN:1382-3256, 1573-7616
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Abstract There is little or no information available on what actually happens when a software vulnerability is detected. We performed an empirical study on reporters of the three most prominent security vulnerabilities: buffer overflow, SQL injection, and cross site scripting vulnerabilities. The goal was to understand the methods and tools used during the discovery and whether the community of developers exploring one security vulnerability differs—in their approach—from another community of developers exploring a different vulnerability. The reporters were featured in the SecurityFocus repository for twelve month periods for each vulnerability. We collected 127 responses. We found that the communities differ based on the security vulnerability they target; but within a specific community, reporters follow similar approaches. We also found a serious problem in the vulnerability reporting process that is common for all communities. Most reporters, especially the experienced ones, favor full-disclosure and do not collaborate with the vendors of vulnerable software. They think that the public disclosure, sometimes supported by a detailed exploit, will put pressure on vendors to fix the vulnerabilities. But, in practice, the vulnerabilities not reported to vendors are less likely to be fixed. Ours is the first study on vulnerability repositories that targets the reporters of the most common security vulnerabilities, thus concentrating on the people involved in the process; previous works have overlooked this rich information source. The results are valuable for beginners exploring how to detect and report security vulnerabilities and for tool vendors and researchers exploring how to automate and fix the process.
AbstractList There is little or no information available on what actually happens when a software vulnerability is detected. We performed an empirical study on reporters of the three most prominent security vulnerabilities: buffer overflow, SQL injection, and cross site scripting vulnerabilities. The goal was to understand the methods and tools used during the discovery and whether the community of developers exploring one security vulnerability differs—in their approach—from another community of developers exploring a different vulnerability. The reporters were featured in the SecurityFocus repository for twelve month periods for each vulnerability. We collected 127 responses. We found that the communities differ based on the security vulnerability they target; but within a specific community, reporters follow similar approaches. We also found a serious problem in the vulnerability reporting process that is common for all communities. Most reporters, especially the experienced ones, favor full-disclosure and do not collaborate with the vendors of vulnerable software. They think that the public disclosure, sometimes supported by a detailed exploit, will put pressure on vendors to fix the vulnerabilities. But, in practice, the vulnerabilities not reported to vendors are less likely to be fixed. Ours is the first study on vulnerability repositories that targets the reporters of the most common security vulnerabilities, thus concentrating on the people involved in the process; previous works have overlooked this rich information source. The results are valuable for beginners exploring how to detect and report security vulnerabilities and for tool vendors and researchers exploring how to automate and fix the process.
Author Hafiz, Munawar
Fang, Ming
Author_xml – sequence: 1
  givenname: Munawar
  surname: Hafiz
  fullname: Hafiz, Munawar
  email: munawar.hafiz@gmail.com
  organization: Department of Computer Science and Software Engineering, Auburn University
– sequence: 2
  givenname: Ming
  surname: Fang
  fullname: Fang, Ming
  organization: Department of Computer Science and Software Engineering, Auburn University
BookMark eNp9kMtKxTAQhoMoeH0AdwE3bqqTe-tGRLzBATe6Dmk61UhPo0mq-Pb2cARB0NXM4v9mfr5dsjnGEQk5ZHDCAMxpZqC1rICpqpEgKrNBdpgy86KZ3px3UfNKcKW3yW7OLwDQGKl2yOLGLZHGnnZY0JcQx3xGn-MHdQlpRj-lUD7p-zSMmFwbhlACZtqF7OM7JuxoGGl5RvoRhu58n2z1bsh48D33yOP11cPlbbW4v7m7vFhUXsimVDVrjQZfK99yLrXXTjApG-QM2rZmEp3RLev7TnlmOie846DqDtAg1L1SYo8cr---pvg2YS52ORfCYXAjxilbVgulAepGztGjX9GXOKVxbmc5aGEaDrA6yNYpn2LOCXv7msLSpU_LwK782rVfO_u1K7_WzIz5xfhQ3MpgSS4M_5J8Teb5y_iE6afT39AX4b6P_g
CitedBy_id crossref_primary_10_5325_jinfopoli_7_1_0372
crossref_primary_10_5325_jinfopoli_7_2017_0372
crossref_primary_10_1371_journal_pone_0304467
crossref_primary_10_1016_j_chb_2019_09_028
crossref_primary_10_1016_j_cosrev_2025_100728
crossref_primary_10_1016_j_cose_2022_102936
crossref_primary_10_1145_3716822
crossref_primary_10_1016_j_infsof_2025_107786
crossref_primary_10_1007_s10664_022_10179_6
Cites_doi 10.1145/1455770.1455774
10.1007/978-3-642-15512-3_23
10.1007/978-3-642-36563-8_14
10.1145/1646353.1646374
10.1109/ICSE.2009.5070530
10.1109/ESEM.2011.18
10.1145/1809100.1809104
10.1109/ISSRE.2009.25
10.1002/spe.2109
10.1145/1853919.1853925
10.1145/2504730.2504747
10.1145/2531602.2531722
10.1109/ESEM.2007.11
10.1109/ICSE.2013.6606613
10.1109/ICSE.2012.6227141
10.1109/ISSRE.2004.1
10.1016/S1353-4858(07)70094-6
10.1007/978-3-642-14215-4_7
10.1109/SECPRI.2001.924300
10.1109/IMF.2009.15
10.1145/2652524.2652533
10.1109/ISSRE.2013.6698898
10.1109/RAMS.2006.1677355
10.1109/2.889093
10.1145/2635868.2635880
10.1007/978-3-642-27576-0_24
10.1007/978-3-642-23088-2_15
ContentType Journal Article
Copyright Springer Science+Business Media New York 2015
Copyright Springer Science & Business Media 2016
Copyright_xml – notice: Springer Science+Business Media New York 2015
– notice: Copyright Springer Science & Business Media 2016
DBID AAYXX
CITATION
7SC
8FD
JQ2
L7M
L~C
L~D
DOI 10.1007/s10664-015-9403-7
DatabaseName CrossRef
Computer and Information Systems Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Computer and Information Systems Abstracts
Technology Research Database
Computer and Information Systems Abstracts – Academic
Advanced Technologies Database with Aerospace
ProQuest Computer Science Collection
Computer and Information Systems Abstracts Professional
DatabaseTitleList
Computer and Information Systems Abstracts
Computer and Information Systems Abstracts
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1573-7616
EndPage 1959
ExternalDocumentID 10_1007_s10664_015_9403_7
GroupedDBID -4Z
-59
-5G
-BR
-EM
-Y2
-~C
.86
.DC
.VR
06D
0R~
0VY
199
1N0
1SB
2.D
203
28-
29G
2J2
2JN
2JY
2KG
2LR
2P1
2VQ
2~H
30V
4.4
406
408
409
40D
40E
5GY
5QI
5VS
67Z
6NX
78A
8FE
8FG
8TC
8UJ
95-
95.
95~
96X
AABHQ
AACDK
AAHNG
AAIAL
AAJBT
AAJKR
AANZL
AAOBN
AARHV
AARTL
AASML
AATNV
AATVU
AAUYE
AAWCG
AAYIU
AAYOK
AAYQN
AAYTO
AAYZH
ABAKF
ABBBX
ABBXA
ABDZT
ABECU
ABFTD
ABFTV
ABHLI
ABHQN
ABJCF
ABJNI
ABJOX
ABKCH
ABKTR
ABMNI
ABMQK
ABNWP
ABQBU
ABQSL
ABSXP
ABTEG
ABTHY
ABTKH
ABTMW
ABULA
ABWNU
ABXPI
ACAOD
ACBXY
ACDTI
ACGFS
ACHSB
ACHXU
ACIWK
ACKNC
ACMDZ
ACMLO
ACOKC
ACOMO
ACPIV
ACSNA
ACZOJ
ADHHG
ADHIR
ADIMF
ADINQ
ADKNI
ADKPE
ADRFC
ADTPH
ADURQ
ADYFF
ADZKW
AEBTG
AEFIE
AEFQL
AEGAL
AEGNC
AEJHL
AEJRE
AEKMD
AEMSY
AENEX
AEOHA
AEPYU
AESKC
AETLH
AEVLU
AEXYK
AFBBN
AFEXP
AFGCZ
AFKRA
AFLOW
AFQWF
AFWTZ
AFZKB
AGAYW
AGDGC
AGGDS
AGJBK
AGMZJ
AGQEE
AGQMX
AGRTI
AGWIL
AGWZB
AGYKE
AHAVH
AHBYD
AHKAY
AHSBF
AHYZX
AIAKS
AIGIU
AIIXL
AILAN
AITGF
AJBLW
AJRNO
AJZVZ
ALMA_UNASSIGNED_HOLDINGS
ALWAN
AMKLP
AMXSW
AMYLF
AMYQR
AOCGG
ARAPS
ARMRJ
ASPBG
AVWKF
AXYYD
AYJHY
AZFZN
B-.
BA0
BBWZM
BDATZ
BENPR
BGLVJ
BGNMA
BSONS
CAG
CCPQU
COF
CS3
CSCUP
DDRTE
DL5
DNIVK
DPUIP
DU5
EBLON
EBS
EIOEI
EJD
ESBYG
FEDTE
FERAY
FFXSO
FIGPU
FINBP
FNLPD
FRRFC
FSGXE
FWDCC
GGCAI
GGRSB
GJIRD
GNWQR
GQ6
GQ7
GQ8
GXS
H13
HCIFZ
HF~
HG5
HG6
HMJXF
HQYDN
HRMNR
HVGLF
HZ~
I09
IHE
IJ-
IKXTQ
ITM
IWAJR
IXC
IZIGR
IZQ
I~X
I~Z
J-C
J0Z
JBSCW
JCJTX
JZLTJ
KDC
KOV
KOW
L6V
LAK
LLZTM
M4Y
M7S
MA-
N2Q
NB0
NDZJH
NPVJJ
NQJWS
NU0
O9-
O93
O9G
O9I
O9J
OAM
P19
P62
P9O
PF0
PT4
PT5
PTHSS
Q2X
QOK
QOS
R4E
R89
R9I
RHV
RNI
RNS
ROL
RPX
RSV
RZC
RZE
RZK
S0W
S16
S1Z
S26
S27
S28
S3B
SAP
SCJ
SCLPG
SCO
SDH
SDM
SHX
SISQX
SJYHP
SNE
SNPRN
SNX
SOHCF
SOJ
SPISZ
SRMVM
SSLCW
STPWE
SZN
T13
T16
TSG
TSK
TSV
TUC
U2A
UG4
UOJIU
UTJUX
UZXMN
VC2
VFIZW
W23
W48
WK8
YLTOR
Z45
Z7R
Z7S
Z7V
Z7X
Z7Z
Z81
Z83
Z86
Z88
Z8M
Z8N
Z8P
Z8R
Z8T
Z8U
Z8W
Z92
ZMTXR
~EX
AAPKM
AAYXX
ABBRH
ABDBE
ABFSG
ABRTQ
ACSTC
ADHKG
AEZWR
AFDZB
AFFHD
AFHIU
AFOHR
AGQPQ
AHPBZ
AHWEU
AIXLP
ATHPR
AYFIA
CITATION
PHGZM
PHGZT
PQGLB
7SC
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c349t-81b760c85cb2246c6a31449e210bb814ea76b1ffd5c17da3ca2058d0e7e08f553
IEDL.DBID RSV
ISICitedReferencesCount 25
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000382017100002&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 1382-3256
IngestDate Sun Nov 09 11:26:23 EST 2025
Tue Dec 02 15:54:44 EST 2025
Sat Nov 29 05:37:42 EST 2025
Tue Nov 18 20:15:37 EST 2025
Fri Feb 21 02:35:47 EST 2025
IsPeerReviewed true
IsScholarly true
Issue 5
Keywords Secure software engineering
Empirical study
Vulnerability
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c349t-81b760c85cb2246c6a31449e210bb814ea76b1ffd5c17da3ca2058d0e7e08f553
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
content type line 23
PQID 2063792005
PQPubID 326341
PageCount 40
ParticipantIDs proquest_miscellaneous_1835600894
proquest_journals_2063792005
crossref_primary_10_1007_s10664_015_9403_7
crossref_citationtrail_10_1007_s10664_015_9403_7
springer_journals_10_1007_s10664_015_9403_7
PublicationCentury 2000
PublicationDate 20161000
2016-10-00
20161001
PublicationDateYYYYMMDD 2016-10-01
PublicationDate_xml – month: 10
  year: 2016
  text: 20161000
PublicationDecade 2010
PublicationPlace New York
PublicationPlace_xml – name: New York
– name: Dordrecht
PublicationSubtitle An International Journal
PublicationTitle Empirical software engineering : an international journal
PublicationTitleAbbrev Empir Software Eng
PublicationYear 2016
Publisher Springer US
Springer Nature B.V
Publisher_xml – name: Springer US
– name: Springer Nature B.V
References Cova M, Leita C, Thonnard O, Keromytis A, Dacier M (2010) An analysis of rogue AV campaigns. In: Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID’10. Springer-Verlag, Berlin, Heidelberg, pp 442–463
Franklin J, Perrig A, Paxson V, Savage S (2007) An inquiry into the nature and causes of the wealth of internet miscreants. In: Ning P, di Vimercati SDC, Syverson PF (eds) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, pp 375–388. ACM
Austin A, Williams L (2011) One technique is not enough: A comparison of vulnerability discovery techniques. In: ESEM ’11
Johnson B, Song Y, Murphy-Hill E, Bowdidge R (2013) Why don’t software developers use static analysis tools to find bugs?. In: ICSE ’13. ACM
Rutar N, Almazan C, Foster J (2004) A comparison of bug finding tools for Java. In: ISSRE ’04. IEEE Computer Society
Weinstein M (2012) TAMS Analyzer for Macintosh OS X: The native open source, Macintosh qualitative research tool
Suto L (2007) Analyzing the effectiveness and coverage of Web application security scanners. Tech. rep., eEye Digital Security
Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: IMF
Patton M (2001) Qualitative Research & Evaluation Methods, 3 edn. Sage Publications Ltd., Singapore
Arora A, Krishnan R, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability - An empirical analysis. In: WEIS ’04
McGraw G, Steven J (2011) Software [In]security: Comparing apples, oranges, and aardvarks (or, all static analysis tools are not created equal). http://www.informit.com/articles/article.aspx?p=1680863
OkhraviHNicolDEvaluation of patch management strategiesInt J Comput Intell Theory Pract20083109117
Wu Y, Gandhi R, Siy H (2010) Using semantic templates to study vulnerabilities recorded in large software repositories. In: SESS ’10. ACM
Shahzad M, Shafiq M, Liu A (2012) A large scale exploratory analysis of software vulnerability life cycles. In: ICSE ’12. IEEE Press
Krippendorff K (2004) Content Analysis: An Introduction to Its Methodology. Sage Publications Ltd., Singapore
Wilander J, Kamkar M (2003) A comparison of publicly available tools for dynamic buffer overflow prevention. In: NDSS ’03. The Internet Society
Frei S, Schatzmann D, Plattner B, Trammell B (2009) Modelling the security ecosystem- The dynamics of (in)security. In: WEIS ’09
Scandariato R, Walden J, Joosen W (2013) Static analysis versus penetration testing: A controlled experiment. In: 2013 IEEE 24th international symposium on software reliability engineering (ISSRE), pp 451–460
TippingPoint Zero Day Initiative (ZDI). http://www.zerodayinitiative.com
Layman L, Williams L, Amant R (2007) Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools. In: ESEM ’07. IEEE Computer Society
Xiao S, Witschey J, Murphy-Hill E (2014) Social influences on secure development tool adoption: Why security tools spread. In: CSCW ’14. ACM, New York, NY, USA, pp 1095–1106
Fang M, Hafiz M (2014) Discovering buffer overflow vulnerabilities in the wild: an empirical study. In: Morisio M, Dybå T, Torchiano M (eds) 2014 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM ’14, Torino, Italy, September 18–19, 2014, p 23. ACM
Massacci F, Nguyen V (2010) Which is the right source for vulnerability studies?: An empirical analysis on mozilla firefox. In: MetriSec ’10. ACM
Denzin N (1978) The Research Act: A Theoretical Introduction to Sociological Methods. McGraw-Hill, New York
Doupé A, Cova M, Vigna G (2010) Why Johnny can’t Pentest: An analysis of black-box web vulnerability scanners. In: DIMVA ’10. Springer
BesseyABlockKChelfBChouAFultonBHallemSHenri-GrosCKamskyAMcPeakSEnglerDA few billion lines of code later: Using static analysis to find bugs in the real worldCommun ACM2010532667510.1145/1646353.1646374
Saldana J (2009) The Coding Manual for Qualitative Researchers. Sage Publications Ltd, Singapore
ArbaughWFithenWMcHughJWindows of vulnerability: A case study analysisComputer20003312525910.1109/2.889093
Zhang S, Caragea D, Ou X (2011) An empirical study on using the national vulnerability database to predict software vulnerabilities. In: DEXA ’11. Springer
Anbalagan P, Vouk M (2009) Towards a unifying approach in understanding security problems. In: ISSRE’09. IEEE Press
Cheswick B (1992) An evening with berferd in which a cracker is lured, endured, and studied. In: Proc. Winter USENIX Conference, pp 163–174
Meiklejohn S, Pomarole M, Jordan G, Levchenko K, McCoy D, Voelker GM, Savage S (2013) A fistful of bitcoins: Characterizing payments among men with no names. In: Proceedings of the 2013 conference on internet measurement conference, IMC ’13. ACM, New York, NY, USA, pp 127–140
SecurityFocus Bugtraq vulnerability list. http://www.securityfocus.com
Bosu A, Carver JC, Hafiz M, Hilley P, Janni D (2014) Identifying the characteristics of vulnerable code changes: An empirical study. In: 22nd ACM SIGSOFT international symposium on the foundations of software engineering, p To appear
Verisign iDefense security intelligence services. http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml
Browne H, Arbaugh W, McHugh J, Fithen W (2001) A trend analysis of exploitations. In: IEEE S&P ’01. IEEE Computer Society
Yin R (2011) Case Study Research: Design and Methods. Sage Publications Ltd, Singapore
Frei S, Tellenbach B, Plattner B (2008) 0-day patch - Exposing vendors’ (In)security performance. BlackHat Europe
Open Web Application Security Project (OWASP) (2014) Owasp top ten 2013 project. https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
McQueen M, McQueen T, Boyer W, Chaffin M (2009) Empirical estimates and observations of 0-day vulnerabilities. In: HICSS ’09, pp 1 –12
Edmundson A, Holtkamp B, Rivera E, Finifter M, Mettler A, Wagner D (2013) An empirical study on the effectiveness of security code review. In: ESSoS ’13, Lecture Notes in Computer Science, vol 7781, pp 197–212. Springer Berlin Heidelberg
Mell P, Scarfone K, Romanosky S (2007) CVSS: A complete guide to the Common Vulnerability Scoring System Version 2.0. Tech. rep., FIRST.org
Scholte T, Balzarotti D, Kirda E (2012) Quo vadis? A study of the evolution of input validation vulnerabilities in web applications. In: FC’11. Springer-Verlag
Gopalakrishna R, Spafford E (2005) A trend analysis of vulnerabilities. Tech. rep., CERIAS
Aranda J, Venolia G (2009) The secret life of bugs: Going past the errors and omissions in software repositories. In: ICSE ’09. IEEE Computer Society
Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM conference on computer and communications security, CCS ’08. ACM, New York, NY, USA, pp 3–14
Finifter M, Akhawe D, Wagner D (2013) An empirical study of vulnerability rewards programs. In: USENIX Security’ 13. USENIX Association
Schneier B (2000) Full disclosure and the window of exposure. Crypto-Gram Newsletter
Alhazmi O, Malaiya Y (2006) Prediction capabilities of vulnerability discovery models. In: RAMS’06. IEEE Computer Society
BacaDCarlssonBPetersenKLundbergLImproving software security with static automated code analysis in an industry settingSoftware—Practice and Experience201343325927910.1002/spe.2109
9403_CR9
9403_CR2
A Bessey (9403_CR8) 2010; 53
9403_CR3
9403_CR10
9403_CR1
9403_CR6
9403_CR50
9403_CR5
9403_CR17
9403_CR18
9403_CR15
9403_CR16
9403_CR13
9403_CR14
9403_CR11
9403_CR12
9403_CR19
9403_CR20
9403_CR21
9403_CR28
9403_CR29
9403_CR26
9403_CR27
9403_CR24
9403_CR25
9403_CR22
9403_CR23
9403_CR32
D Baca (9403_CR7) 2013; 43
9403_CR30
W Arbaugh (9403_CR4) 2000; 33
9403_CR39
9403_CR37
9403_CR38
9403_CR35
9403_CR36
9403_CR33
9403_CR34
9403_CR42
9403_CR43
9403_CR40
9403_CR41
H Okhravi (9403_CR31) 2008; 3
9403_CR48
9403_CR49
9403_CR46
9403_CR47
9403_CR44
9403_CR45
References_xml – reference: McGraw G, Steven J (2011) Software [In]security: Comparing apples, oranges, and aardvarks (or, all static analysis tools are not created equal). http://www.informit.com/articles/article.aspx?p=1680863
– reference: Scholte T, Balzarotti D, Kirda E (2012) Quo vadis? A study of the evolution of input validation vulnerabilities in web applications. In: FC’11. Springer-Verlag
– reference: Franklin J, Perrig A, Paxson V, Savage S (2007) An inquiry into the nature and causes of the wealth of internet miscreants. In: Ning P, di Vimercati SDC, Syverson PF (eds) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, pp 375–388. ACM
– reference: Shahzad M, Shafiq M, Liu A (2012) A large scale exploratory analysis of software vulnerability life cycles. In: ICSE ’12. IEEE Press
– reference: Alhazmi O, Malaiya Y (2006) Prediction capabilities of vulnerability discovery models. In: RAMS’06. IEEE Computer Society
– reference: Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: IMF
– reference: Frei S, Schatzmann D, Plattner B, Trammell B (2009) Modelling the security ecosystem- The dynamics of (in)security. In: WEIS ’09
– reference: Zhang S, Caragea D, Ou X (2011) An empirical study on using the national vulnerability database to predict software vulnerabilities. In: DEXA ’11. Springer
– reference: Edmundson A, Holtkamp B, Rivera E, Finifter M, Mettler A, Wagner D (2013) An empirical study on the effectiveness of security code review. In: ESSoS ’13, Lecture Notes in Computer Science, vol 7781, pp 197–212. Springer Berlin Heidelberg
– reference: Massacci F, Nguyen V (2010) Which is the right source for vulnerability studies?: An empirical analysis on mozilla firefox. In: MetriSec ’10. ACM
– reference: Fang M, Hafiz M (2014) Discovering buffer overflow vulnerabilities in the wild: an empirical study. In: Morisio M, Dybå T, Torchiano M (eds) 2014 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM ’14, Torino, Italy, September 18–19, 2014, p 23. ACM
– reference: Mell P, Scarfone K, Romanosky S (2007) CVSS: A complete guide to the Common Vulnerability Scoring System Version 2.0. Tech. rep., FIRST.org
– reference: Frei S, Tellenbach B, Plattner B (2008) 0-day patch - Exposing vendors’ (In)security performance. BlackHat Europe
– reference: Suto L (2007) Analyzing the effectiveness and coverage of Web application security scanners. Tech. rep., eEye Digital Security
– reference: Anbalagan P, Vouk M (2009) Towards a unifying approach in understanding security problems. In: ISSRE’09. IEEE Press
– reference: Scandariato R, Walden J, Joosen W (2013) Static analysis versus penetration testing: A controlled experiment. In: 2013 IEEE 24th international symposium on software reliability engineering (ISSRE), pp 451–460
– reference: Gopalakrishna R, Spafford E (2005) A trend analysis of vulnerabilities. Tech. rep., CERIAS
– reference: Rutar N, Almazan C, Foster J (2004) A comparison of bug finding tools for Java. In: ISSRE ’04. IEEE Computer Society
– reference: OkhraviHNicolDEvaluation of patch management strategiesInt J Comput Intell Theory Pract20083109117
– reference: Arora A, Krishnan R, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability - An empirical analysis. In: WEIS ’04
– reference: Open Web Application Security Project (OWASP) (2014) Owasp top ten 2013 project. https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
– reference: Wilander J, Kamkar M (2003) A comparison of publicly available tools for dynamic buffer overflow prevention. In: NDSS ’03. The Internet Society
– reference: Browne H, Arbaugh W, McHugh J, Fithen W (2001) A trend analysis of exploitations. In: IEEE S&P ’01. IEEE Computer Society
– reference: Cova M, Leita C, Thonnard O, Keromytis A, Dacier M (2010) An analysis of rogue AV campaigns. In: Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID’10. Springer-Verlag, Berlin, Heidelberg, pp 442–463
– reference: Meiklejohn S, Pomarole M, Jordan G, Levchenko K, McCoy D, Voelker GM, Savage S (2013) A fistful of bitcoins: Characterizing payments among men with no names. In: Proceedings of the 2013 conference on internet measurement conference, IMC ’13. ACM, New York, NY, USA, pp 127–140
– reference: Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM conference on computer and communications security, CCS ’08. ACM, New York, NY, USA, pp 3–14
– reference: Wu Y, Gandhi R, Siy H (2010) Using semantic templates to study vulnerabilities recorded in large software repositories. In: SESS ’10. ACM
– reference: TippingPoint Zero Day Initiative (ZDI). http://www.zerodayinitiative.com/
– reference: Patton M (2001) Qualitative Research & Evaluation Methods, 3 edn. Sage Publications Ltd., Singapore
– reference: Layman L, Williams L, Amant R (2007) Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools. In: ESEM ’07. IEEE Computer Society
– reference: Bosu A, Carver JC, Hafiz M, Hilley P, Janni D (2014) Identifying the characteristics of vulnerable code changes: An empirical study. In: 22nd ACM SIGSOFT international symposium on the foundations of software engineering, p To appear
– reference: Cheswick B (1992) An evening with berferd in which a cracker is lured, endured, and studied. In: Proc. Winter USENIX Conference, pp 163–174
– reference: Austin A, Williams L (2011) One technique is not enough: A comparison of vulnerability discovery techniques. In: ESEM ’11
– reference: ArbaughWFithenWMcHughJWindows of vulnerability: A case study analysisComputer20003312525910.1109/2.889093
– reference: BacaDCarlssonBPetersenKLundbergLImproving software security with static automated code analysis in an industry settingSoftware—Practice and Experience201343325927910.1002/spe.2109
– reference: Schneier B (2000) Full disclosure and the window of exposure. Crypto-Gram Newsletter
– reference: Finifter M, Akhawe D, Wagner D (2013) An empirical study of vulnerability rewards programs. In: USENIX Security’ 13. USENIX Association
– reference: Johnson B, Song Y, Murphy-Hill E, Bowdidge R (2013) Why don’t software developers use static analysis tools to find bugs?. In: ICSE ’13. ACM
– reference: BesseyABlockKChelfBChouAFultonBHallemSHenri-GrosCKamskyAMcPeakSEnglerDA few billion lines of code later: Using static analysis to find bugs in the real worldCommun ACM2010532667510.1145/1646353.1646374
– reference: Yin R (2011) Case Study Research: Design and Methods. Sage Publications Ltd, Singapore
– reference: McQueen M, McQueen T, Boyer W, Chaffin M (2009) Empirical estimates and observations of 0-day vulnerabilities. In: HICSS ’09, pp 1 –12
– reference: Denzin N (1978) The Research Act: A Theoretical Introduction to Sociological Methods. McGraw-Hill, New York
– reference: Weinstein M (2012) TAMS Analyzer for Macintosh OS X: The native open source, Macintosh qualitative research tool
– reference: SecurityFocus Bugtraq vulnerability list. http://www.securityfocus.com/
– reference: Verisign iDefense security intelligence services. http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml
– reference: Xiao S, Witschey J, Murphy-Hill E (2014) Social influences on secure development tool adoption: Why security tools spread. In: CSCW ’14. ACM, New York, NY, USA, pp 1095–1106
– reference: Saldana J (2009) The Coding Manual for Qualitative Researchers. Sage Publications Ltd, Singapore
– reference: Doupé A, Cova M, Vigna G (2010) Why Johnny can’t Pentest: An analysis of black-box web vulnerability scanners. In: DIMVA ’10. Springer
– reference: Aranda J, Venolia G (2009) The secret life of bugs: Going past the errors and omissions in software repositories. In: ICSE ’09. IEEE Computer Society
– reference: Krippendorff K (2004) Content Analysis: An Introduction to Its Methodology. Sage Publications Ltd., Singapore
– ident: 9403_CR23
  doi: 10.1145/1455770.1455774
– ident: 9403_CR12
  doi: 10.1007/978-3-642-15512-3_23
– ident: 9403_CR20
– ident: 9403_CR15
  doi: 10.1007/978-3-642-36563-8_14
– ident: 9403_CR24
– volume: 53
  start-page: 66
  issue: 2
  year: 2010
  ident: 9403_CR8
  publication-title: Commun ACM
  doi: 10.1145/1646353.1646374
– ident: 9403_CR18
– ident: 9403_CR43
– ident: 9403_CR3
  doi: 10.1109/ICSE.2009.5070530
– ident: 9403_CR6
  doi: 10.1109/ESEM.2011.18
– ident: 9403_CR47
  doi: 10.1145/1809100.1809104
– ident: 9403_CR2
  doi: 10.1109/ISSRE.2009.25
– ident: 9403_CR11
– volume: 43
  start-page: 259
  issue: 3
  year: 2013
  ident: 9403_CR7
  publication-title: Software—Practice and Experience
  doi: 10.1002/spe.2109
– ident: 9403_CR26
  doi: 10.1145/1853919.1853925
– ident: 9403_CR29
  doi: 10.1145/2504730.2504747
– ident: 9403_CR30
– ident: 9403_CR19
– ident: 9403_CR27
– ident: 9403_CR44
– ident: 9403_CR48
  doi: 10.1145/2531602.2531722
– ident: 9403_CR40
– ident: 9403_CR25
  doi: 10.1109/ESEM.2007.11
– ident: 9403_CR22
  doi: 10.1109/ICSE.2013.6606613
– ident: 9403_CR37
– ident: 9403_CR33
– ident: 9403_CR41
  doi: 10.1109/ICSE.2012.6227141
– ident: 9403_CR34
  doi: 10.1109/ISSRE.2004.1
– ident: 9403_CR49
– ident: 9403_CR45
– ident: 9403_CR42
  doi: 10.1016/S1353-4858(07)70094-6
– ident: 9403_CR14
  doi: 10.1007/978-3-642-14215-4_7
– ident: 9403_CR10
  doi: 10.1109/SECPRI.2001.924300
– ident: 9403_CR13
– ident: 9403_CR32
– ident: 9403_CR39
  doi: 10.1109/IMF.2009.15
– ident: 9403_CR46
– ident: 9403_CR21
– ident: 9403_CR16
  doi: 10.1145/2652524.2652533
– ident: 9403_CR17
– ident: 9403_CR36
  doi: 10.1109/ISSRE.2013.6698898
– ident: 9403_CR1
  doi: 10.1109/RAMS.2006.1677355
– volume: 33
  start-page: 52
  issue: 12
  year: 2000
  ident: 9403_CR4
  publication-title: Computer
  doi: 10.1109/2.889093
– volume: 3
  start-page: 109
  year: 2008
  ident: 9403_CR31
  publication-title: Int J Comput Intell Theory Pract
– ident: 9403_CR35
– ident: 9403_CR28
– ident: 9403_CR9
  doi: 10.1145/2635868.2635880
– ident: 9403_CR5
– ident: 9403_CR38
  doi: 10.1007/978-3-642-27576-0_24
– ident: 9403_CR50
  doi: 10.1007/978-3-642-23088-2_15
SSID ssj0009745
Score 2.2691946
Snippet There is little or no information available on what actually happens when a software vulnerability is detected. We performed an empirical study on reporters of...
SourceID proquest
crossref
springer
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 1920
SubjectTerms Communities
Compilers
Computer information security
Computer programs
Computer Science
Cybersecurity
Developers
Games
Interpreters
Programming Languages
Query languages
Repositories
Security
Software
Software Engineering/Programming and Operating Systems
Title Game of detections: how are security vulnerabilities discovered in the wild?
URI https://link.springer.com/article/10.1007/s10664-015-9403-7
https://www.proquest.com/docview/2063792005
https://www.proquest.com/docview/1835600894
Volume 21
WOSCitedRecordID wos000382017100002&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVAVX
  databaseName: Springer Nature - Connect here FIRST to enable access
  customDbUrl:
  eissn: 1573-7616
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0009745
  issn: 1382-3256
  databaseCode: RSV
  dateStart: 19970101
  isFulltext: true
  titleUrlDefault: https://link.springer.com/search?facet-content-type=%22Journal%22
  providerName: Springer Nature
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1LS8QwEB509eDFt7i6SgRPSiHbNknjRUR8HEQEH-yt5FVcWFvZ7urfd9JtXRUV9FiapmWSmXzTmfkGYF9bFSJuzwJunQhiqVGluMZLEcuMaxZm3FTNJsT1ddLryZu6jrtsst2bkGRlqT8Uu3HuMyZYIGMaBWIW5pgnm_Eu-u3DlGlXVJ2JPbdeEOGB3oQyv5vi82E0RZhfgqLVWXO-9K-vXIbFGlqSk8leWIEZl6_CUtO2gdRavAZXF-rJkSIj1o2qRKy8PCKPxStRQ0fKup8deRkPPCF1lTuL3jTx5bs-3dNZ0s8JwkaCKNser8P9-dnd6WVQN1UITBTLUYAwVXBqEma055IzXEXoU0mHrp_WSTd2SnDdzTLLTFdYFRkVUpZY6oSjScZYtAGtvMjdJhCGxiCyMrSa-bCwlqGjjBoEXJpmWnXbQBvppqZmHPeNLwbplCvZSytFaaVeWqlow8H7I88Tuo3fBneaJUtrzSvTEDGXkP5fWRv23m-jzvhAiMpdMS5TNGMe6CUybsNhs4zTKX584dafRm_DAqIrPsn860BrNBy7HZg3L6N-OdytNu0b2ILk4A
linkProvider Springer Nature
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1bS-QwFD54A_fFy6rseNsIPimFTNskjS8i4o0dB8ELvoXcioJ2lumM-_c96bTOKiroY2malpOc5Ds9J98HsG2cjhG35xF3XkSpNOhS3OClSGXODYtzbiuxCdHtZre38qI-x1021e5NSrJaqf877MZ5qJhgkUxpEolJmE6Dyk4I0S9vxky7olImDtx6UYIbepPKfK-L15vRGGG-SYpWe83x_Le-cgHmamhJDkZzYREmfPET5hvZBlJ78RJ0TvSjJ72cOD-oCrGKco_c9f4R3fekrPXsyNPwIRBSV7WzGE2TcHw3lHt6R-4LgrCRIMp2-8twfXx0dXga1aIKkU1SOYgQpgpObcasCVxylusEYyrpMfQzJmunXgtu2nnumG0LpxOrY8oyR73wNMsZS1ZgqugV_hcQhotB4mTsDAtpYSNjTxm1CLgMzY1ut4A21lW2ZhwPwhcPasyVHKyl0FoqWEuJFuy8PPJ3RLfxWeP1ZshU7XmlihFzCRn-lbVg6-U2-kxIhOjC94alwmUsAL1Mpi3YbYZx3MWHL1z9UuvfMHt6dd5RnbPunzX4gUiLj6oA12Fq0B_6DZixT4P7sr9ZTeBnm1rnxA
linkToPdf http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwpV1NT9wwEB3xUVVcCrRFLKXgSj1RRXiT2I57qRBlaQVaoZYibpY_BRJk0SZL_37H2YSFqkVCHKM4TjT22G8y4_cAPhqnU8TtIeHOiySXBl2KG7wUuQzcsDRw24hNiOGwOD-XJ63OadVVu3cpyemZhsjSVNa7Ny7s3jv4xnmsnmCJzGmWiHlYzDGQiTVdP36ezVh3RaNSHHn2kgw39y6t-a8uHm5MM7T5V4K02XcGy8_-4hV41UJOsjedI6sw58vXsNzJOZDWu9_A8aG-9mQUiPN1U6BVVp_Jxeg30WNPqlbnjtxOriJRdVNTi1E2icd6Yxmod-SyJAgnCaJv9-Ut_BocnO5_S1qxhcRmuawThK-CU1swayLHnOU6w1hLegwJjSn6udeCm34Ijtm-cDqzOqWscNQLT4vAWLYGC-Wo9OtAGC4SmZOpMyymi41MPWXUIhAzNBjd7wHtLK1sy0QeBTGu1IxDOVpLobVUtJYSPdi5e-RmSsPxWOPNbvhU65GVShGLCRn_ofXgw91t9KWYINGlH00qhctbBICFzHvwqRvSWRf_feHGk1pvw8uTrwN1_H149A6WEIDxaXHgJizU44l_Dy_sbX1ZjbeaufwH8I_wqA
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Game+of+detections%3A+how+are+security+vulnerabilities+discovered+in+the+wild%3F&rft.jtitle=Empirical+software+engineering+%3A+an+international+journal&rft.au=Hafiz%2C+Munawar&rft.au=Fang%2C+Ming&rft.date=2016-10-01&rft.pub=Springer+US&rft.issn=1382-3256&rft.eissn=1573-7616&rft.volume=21&rft.issue=5&rft.spage=1920&rft.epage=1959&rft_id=info:doi/10.1007%2Fs10664-015-9403-7&rft.externalDocID=10_1007_s10664_015_9403_7
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1382-3256&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1382-3256&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1382-3256&client=summon