Code Ownership in Open-Source AI Software Security
Jiawen Wen, Dong Yuan, Lei Ma, Huaming Chen
TL;DR
This study investigates how code ownership patterns in open-source AI projects relate to security vulnerabilities, introducing new time-based metrics and a tool to help improve project security and developer engagement.
Contribution
It provides empirical evidence linking code ownership characteristics to vulnerabilities and introduces innovative time metrics and a benchmarking tool for open-source AI security.
Findings
High ownership correlates with fewer vulnerabilities.
Time metrics effectively categorize project phases and vulnerability levels.
Developed a Python tool for security assessment and benchmarking.
Abstract
As open-source AI software projects become an integral component in the AI software development, it is critical to develop a novel methods to ensure and measure the security of the open-source projects for developers. Code ownership, pivotal in the evolution of such projects, offers insights into developer engagement and potential vulnerabilities. In this paper, we leverage the code ownership metrics to empirically investigate the correlation with the latent vulnerabilities across five prominent open-source AI software projects. The findings from the large-scale empirical study suggest a positive relationship between high-level ownership (characterised by a limited number of minor contributors) and a decrease in vulnerabilities. Furthermore, we innovatively introduce the time metrics, anchored on the project's duration, individual source code file timelines, and the count of impacted…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware Engineering Research · Open Source Software Innovations