Open Source Vulnerability Notification

  • Brandon Carlson
  • Kevin LeachEmail author
  • Darko Marinov
  • Meiyappan Nagappan
  • Atul Prakash
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 556)


The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.


Vulnerable dependency Security disclosure Open source 



We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.


  1. 1.
    BugCrowd: Bugcrowd.
  2. 2.
    Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE TSE 33, 171–185 (2007)Google Scholar
  3. 3.
    Crocker, D.: Mailbox Names for Common Services, Roles and Functions. RFC 2142, Internet Engineering Task Force (1997).
  4. 4.
    Decan, A., Mens, T., Constantinou, E.: On the impact of security vulnerabilities in the npm package dependency network. In: MSR (2018)Google Scholar
  5. 5.
    Foudil, E., Shafranovich, Y.:
  6. 6.
    Foudil, E., Shafranovich, Y.: A method for web security policies. Technical report, Internet Engineering Task Force (2018).
  7. 7.
    GitHub: About security alerts for vulnerable dependencies.
  8. 8.
    GitHub: GitHub and government civic hackers projects.
  9. 9.
    GitHub: GitHub and government open source projects.
  10. 10.
    GitHub: GitHub and government research projects.
  11. 11.
    GitHub: GitHub trending Java open source projects.
  12. 12.
  13. 13.
    GitHub: Open source survey.
  14. 14.
    HackerOne: HackerOne.
  15. 15.
    HackerOne: Vulnerability disclosure policy basics: 5 critical components.
  16. 16.
    Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? ESE 23, 384–417 (2018)Google Scholar
  17. 17.
    Legunsen, O., Hassan, W.U., Xu, X., Roşu, G., Marinov, D.: How good are the specs? A study of the bug-finding effectiveness of existing Java API specifications. In: ASE (2016)Google Scholar
  18. 18.
    Liu, C., White, R.W., Dumais, S.: Understanding web browsing behaviors through Weibull analysis of dwell time. In: SIGIR (2010)Google Scholar
  19. 19.
    Mirhosseini, S., Parnin, C.: Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In: ASE (2017)Google Scholar
  20. 20.
    Munaiah, N., Kroh, S., Cabrey, C., Nagappan, M.: Curating GitHub for engineered software projects. ESE 22, 3219–3253 (2017)Google Scholar
  21. 21.
    Nesbitt, A., Nickolls, B.: open source repository and dependency metadata (2017)Google Scholar
  22. 22.
    NIST: National vulnerability database (2018).
  23. 23.
  24. 24.
    Podjarny, G.: Open source vulnerabilities tripped Equifax, how can you defend yourself?
  25. 25.
    Rapid7: NIST cyber framework updated with coordinated vuln disclosure processes.
  26. 26.
    Snyk: Snyk.
  27. 27.
    Snyk: The state of open source (2017).
  28. 28.
    Tetelman, A.: bounty-targets-data (2018).
  29. 29.
    Williams, J., Dabirsiaghi, A.: The unfortunate reality of insecure libraries.

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Brandon Carlson
    • 1
  • Kevin Leach
    • 2
    Email author
  • Darko Marinov
    • 1
  • Meiyappan Nagappan
    • 3
  • Atul Prakash
    • 2
  1. 1.University of Illinois at Urbana-ChampaignUrbanaUSA
  2. 2.University of MichiganAnn ArborUSA
  3. 3.University of WaterlooWaterlooCanada

Personalised recommendations