Advertisement

Open Source Vulnerability Notification

  • Brandon Carlson
  • Kevin LeachEmail author
  • Darko Marinov
  • Meiyappan Nagappan
  • Atul Prakash
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 556)

Abstract

The use of third-party libraries to manage software complexity can expose open source software projects to vulnerabilities. However, project owners do not currently have a standard way to enable private disclosure of potential security vulnerabilities. This neglect may be caused in part by having no template to follow for disclosing such vulnerabilities. We analyzed 600 GitHub projects to determine how many projects contained a vulnerable dependency and whether the projects had a process in place to privately communicate security issues. We found that 385 out of 600 open source Java projects contained at least one vulnerable dependency, and only 13 of those 385 projects had a security vulnerability reporting process. That is, 96.6% of the projects with a vulnerability did not have a security notification process in place to allow for private disclosure. In determining whether the projects even had contact information publicly available, we found that 19.8% had no contact information publicly available, let alone a security vulnerability reporting process. We suggest two methods to allow for community members to privately disclose potential security vulnerabilities.

Keywords

Vulnerable dependency Security disclosure Open source 

Notes

Acknowledgments

We thank Snyk [26] for providing us access to their tool and data. This material is based upon work partially supported by the US Air Force Research Laboratory under Contract FA8750-15-2-0075 and US National Science Foundation under Grant Nos. CNS-1646305, CNS-1646392, CNS-1740897, and CNS-1740916.

References

  1. 1.
    BugCrowd: Bugcrowd. https://www.bugcrowd.com
  2. 2.
    Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE TSE 33, 171–185 (2007)Google Scholar
  3. 3.
    Crocker, D.: Mailbox Names for Common Services, Roles and Functions. RFC 2142, Internet Engineering Task Force (1997). http://www.rfc-editor.org/rfc/rfc2142.txt
  4. 4.
    Decan, A., Mens, T., Constantinou, E.: On the impact of security vulnerabilities in the npm package dependency network. In: MSR (2018)Google Scholar
  5. 5.
    Foudil, E., Shafranovich, Y.: securitytxt.org. https://securitytxt.org
  6. 6.
    Foudil, E., Shafranovich, Y.: A method for web security policies. Technical report, Internet Engineering Task Force (2018). https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt-03
  7. 7.
    GitHub: About security alerts for vulnerable dependencies. https://help.github.com/en/articles/about-security-alerts-for-vulnerable-dependencies
  8. 8.
    GitHub: GitHub and government civic hackers projects. https://government.github.com/community/#civic_hackers
  9. 9.
    GitHub: GitHub and government open source projects. https://government.github.com/community/
  10. 10.
    GitHub: GitHub and government research projects. https://government.github.com/community/#research
  11. 11.
    GitHub: GitHub trending Java open source projects. https://github.com/trending/java
  12. 12.
  13. 13.
    GitHub: Open source survey. https://opensourcesurvey.org/2017
  14. 14.
    HackerOne: HackerOne. https://hackerone.com
  15. 15.
    HackerOne: Vulnerability disclosure policy basics: 5 critical components. https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
  16. 16.
    Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? ESE 23, 384–417 (2018)Google Scholar
  17. 17.
    Legunsen, O., Hassan, W.U., Xu, X., Roşu, G., Marinov, D.: How good are the specs? A study of the bug-finding effectiveness of existing Java API specifications. In: ASE (2016)Google Scholar
  18. 18.
    Liu, C., White, R.W., Dumais, S.: Understanding web browsing behaviors through Weibull analysis of dwell time. In: SIGIR (2010)Google Scholar
  19. 19.
    Mirhosseini, S., Parnin, C.: Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In: ASE (2017)Google Scholar
  20. 20.
    Munaiah, N., Kroh, S., Cabrey, C., Nagappan, M.: Curating GitHub for engineered software projects. ESE 22, 3219–3253 (2017)Google Scholar
  21. 21.
    Nesbitt, A., Nickolls, B.: Libraries.io open source repository and dependency metadata (2017)Google Scholar
  22. 22.
    NIST: National vulnerability database (2018). https://nvd.nist.gov
  23. 23.
  24. 24.
    Podjarny, G.: Open source vulnerabilities tripped Equifax, how can you defend yourself? https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries
  25. 25.
    Rapid7: NIST cyber framework updated with coordinated vuln disclosure processes. https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes
  26. 26.
    Snyk: Snyk. https://snyk.io
  27. 27.
    Snyk: The state of open source (2017). https://snyk.io/stateofossecurity
  28. 28.
    Tetelman, A.: bounty-targets-data (2018). https://github.com/arkadiyt/bounty-targets-data
  29. 29.
    Williams, J., Dabirsiaghi, A.: The unfortunate reality of insecure libraries. https://www.contrastsecurity.com/the-unfortunate-reality-of-insecure-libraries

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Brandon Carlson
    • 1
  • Kevin Leach
    • 2
    Email author
  • Darko Marinov
    • 1
  • Meiyappan Nagappan
    • 3
  • Atul Prakash
    • 2
  1. 1.University of Illinois at Urbana-ChampaignUrbanaUSA
  2. 2.University of MichiganAnn ArborUSA
  3. 3.University of WaterlooWaterlooCanada

Personalised recommendations