An Empirical Study of Security-Policy Related Issues in Open Source Projects
Rintaro Kanaji, Brittany Reid, Yutaro Kashiwa, Raula Gaikovina Kula, Hajimu Iida
TL;DR
The paper investigates how security-policy related issues, particularly SECURITY.md, are discussed and managed in open-source communities. It conducts a large-scale analysis of 15,192 GitHub issues across six community health files, with 711 SECURITY.md-related issues manually classified to understand issue purposes and resolution dynamics. Key findings show that 79.5% of SECURITY.md issues are addition requests, many coming from huntr.dev; while including links can shorten close times, the difference is not consistently significant, and governance-related discussions tend to attract more engagement. The study informs strategies to improve vulnerability reporting workflows and policy adoption in OSS, highlighting practical implications for maintainers and platform designers.
Abstract
GitHub recommends that projects adopt a security file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that security files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to security files. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including security files. Our analysis revealed that 79.5% of security file-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.