Fixing Outside the Box: Uncovering Tactics for Open-Source Security Issue Management
Lyuye Zhang, Jiahui Wu, Chengwei Liu, Kaixuan Li, Xiaoyu Sun, Lida Zhao, Chong Wang, Yang Liu
TL;DR
The paper addresses the gap between widely studied remediation tactics and the broader set of community-driven strategies used to fix OSS vulnerabilities. It conducts a large-scale empirical analysis of 21,187 GitHub security issues to build a hierarchical Remediation Tactics taxonomy with 44 categories, finding that 44% of community RTs are not yet supported by current tools. Through RQ-driven analyses of acceptance, audience, cost, and vulnerability-database coverage, the authors reveal user and maintainer preferences, long attack windows, and substantial gaps in vulnerability databases. The work demonstrates that community-sourced RTs can substantially augment formal databases and tooling, with implications for tool design, CI/CD integration, and standardization of remediation guidance to improve OSS security in practice.
Abstract
In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software (OSS) has become critically important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities. A holistic empirical study is needed to explore the prevalence, distribution, preferences, and effectiveness of these diverse strategies. To this end, in this paper, we conduct a comprehensive study on the taxonomy of vulnerability remediation tactics (RT) in OSS projects and investigate their pros and cons. This study addresses this oversight by conducting a comprehensive empirical analysis of 21,187 issues from GitHub, aiming to understand the range and efficacy of remediation tactics within the OSS community. We developed a hierarchical taxonomy of 44 distinct RT and evaluated their effectiveness and costs. Our findings highlight a significant reliance on community-driven strategies, like using alternative libraries and bypassing vulnerabilities, 44% of which are currently unsupported by cutting-edge tools. Additionally, this research exposes the community's preferences for certain fixing approaches by analyzing their acceptance and the reasons for rejection. It also underscores a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions, a gap that can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.