Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Investigating Vulnerability Disclosures in Open-Source Software Using Bug Bounty Reports and Security Advisories

Jessy Ayala, Yu-Jye Tung, Joshua Garcia

TL;DR

This paper is the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back.

Abstract

In the world of open-source software (OSS), the number of known vulnerabilities has tremendously increased. The GitHub Advisory Database contains advisories for security risks in GitHub-hosted OSS projects. As of 09/25/2023, there are 197,609 unreviewed GitHub security advisories. Of those unreviewed, at least 63,852 are publicly documented vulnerabilities, potentially leaving many OSS projects vulnerable. Recently, bug bounty platforms have emerged to focus solely on providing bounties to help secure OSS. In this paper, we conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports, a perspective that is currently understudied, because they contain comprehensive information about security incidents, e.g., the nature of vulnerabilities, their impact, and how they were resolved. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back. This process uncovers how missing or delayed CVE assignments for OSS vulnerabilities result in projects, both in and out of OSS, not being notified of necessary security updates promptly and corresponding bottlenecks. Based on our findings, we provide suggestions, actionable items, and future research directions to help improve the security posture of OSS projects.

Investigating Vulnerability Disclosures in Open-Source Software Using Bug Bounty Reports and Security Advisories

TL;DR

This paper is the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back.

Abstract

In the world of open-source software (OSS), the number of known vulnerabilities has tremendously increased. The GitHub Advisory Database contains advisories for security risks in GitHub-hosted OSS projects. As of 09/25/2023, there are 197,609 unreviewed GitHub security advisories. Of those unreviewed, at least 63,852 are publicly documented vulnerabilities, potentially leaving many OSS projects vulnerable. Recently, bug bounty platforms have emerged to focus solely on providing bounties to help secure OSS. In this paper, we conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports, a perspective that is currently understudied, because they contain comprehensive information about security incidents, e.g., the nature of vulnerabilities, their impact, and how they were resolved. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back. This process uncovers how missing or delayed CVE assignments for OSS vulnerabilities result in projects, both in and out of OSS, not being notified of necessary security updates promptly and corresponding bottlenecks. Based on our findings, we provide suggestions, actionable items, and future research directions to help improve the security posture of OSS projects.

Paper Structure

This paper contains 22 sections, 3 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background and Research Questions
  3. Methodology
  4. Data Curation
  5. GitHub Security Advisories
  6. OSS Bug Bounty Reports
  7. Usage of Software Vulnerability Management (SVM) Features in OSS Projects
  8. Data Analysis
  9. Empirical Study
  10. RQ1: Review Turnaround Time for Security Advisories and Bug Bounty Reports
  11. RQ2: Routing Vulnerabilities with CVEs to National Vulnerability Database (NVD)
  12. RQ3: Exploring Bug Bounty Reports and Security Advisories With CVEs
  13. RQ4: Exploring Bug Bounty Reports and Security Advisories Without CVEs
  14. RQ5: Current Software Vulnerability Management (SVM) Feature Adoption in OSS
  15. Discussion
  16. ...and 7 more sections

Figures (3)

  • Figure 1: Report-and-Resolve Flows of an Open-source Vulnerability Using a Bug Bounty Program and GAD
  • Figure 2: Number of Reviewed and Unreviewed GitHub Security Advisories from December 2021 to November 2023
  • Figure 3: Number of New Reviewed and Unreviewed GitHub Security Advisories from June 2022 (i.e., After the Large Number of NVD Imported Entries) to November 2023