How Do Developers Deal with Security Issue Reports on GitHub?

TL;DR

This study analyzes 3,493 security issue reports on GitHub to understand current practices, challenges, and opportunities for improving how developers handle security vulnerabilities in open-source projects.

Contribution

It provides a comprehensive empirical analysis of security issue reports, revealing patterns, challenges, and factors influencing resolution times in open-source development.

Findings

Security reports are increasing and resolved faster over time.

A small group of developers handle most security issues.

Many security issues remain unresolved for long periods.

Abstract

Security issue reports are the primary means of informing development teams of security risks in projects, but little is known about current practices. We aim to understand the characteristics of these reports in open-source projects and uncover opportunities to improve developer practices. We analysed 3,493 security issue reports in 182 different projects on GitHub and manually studied 333 reports, and their discussions and pull requests. We found that, the number of security issue reports has increased over time, they are resolved faster, and they are reported in earlier development stages compared to past years. Nevertheless, a tiny group of developers are involved frequently, security issues progress slowly, and a great number of them has been pending for a long time. We realized that only a small subset of security issue reports include reproducibility data, a potential fix is rarely suggested, and there is no hint regarding how a reporter spotted an issue. We noted that the resolution time of an issue is significantly shorter when the first reaction to a security report is fast and when a reference to a known vulnerability exists.