An Empirical Study of Vulnerability Handling Times in CPython

TL;DR

This study analyzes vulnerability handling times in CPython, revealing that who reports the vulnerability significantly influences fixing times, while severity and related factors do not.

Contribution

It provides empirical evidence that reporter identity explains vulnerability fixing times in CPython, advancing understanding of Python security.

Findings

Reporter identity strongly correlates with fixing times.

Severity and related factors do not significantly explain fixing durations.

Regression models effectively predict vulnerability handling times based on reporter information.

Abstract

The paper examines the handling times of software vulnerabilities in CPython, the reference implementation and interpreter for the today's likely most popular programming language, Python. The background comes from the so-called vulnerability life cycle analysis, the literature on bug fixing times, and the recent research on security of Python software. Based on regression analysis, the associated vulnerability fixing times can be explained very well merely by knowing who have reported the vulnerabilities. Severity, proof-of-concept code, commits made to a version control system, comments posted on a bug tracker, and references to other sources do not explain the vulnerability fixing times. With these results, the paper contributes to the recent effort to better understand security of the Python ecosystem.