Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries
Issued Date
2026-05-01
Resource Type
ISSN
13823256
eISSN
15737616
Scopus ID
2-s2.0-105029557787
Journal Title
Empirical Software Engineering
Volume
31
Issue
3
Rights Holder(s)
SCOPUS
Bibliographic Citation
Empirical Software Engineering Vol.31 No.3 (2026)
Suggested Citation
Choetkiertikul M., Kancharoendee S., Jongyingyos C., Phichitphanphong T., Ragkhitwetsagul C., Reid B., Kula R.G., Sunetnanta T. Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries. Empirical Software Engineering Vol.31 No.3 (2026). doi:10.1007/s10664-025-10794-z Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/115060
Title
Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries
Author's Affiliation
Corresponding Author(s)
Other Contributor(s)
Abstract
With security in open-source software development increasingly becoming crucial, security policies are one way to manage vulnerabilities and guide users toward safe practices. To support secure development, platforms like GitHub provide a dedicated section for security policies within repositories. Existing studies focus on the adoption of security policies. However, the detailed content of the security policies has not been examined. Our study aims to fill this gap by analyzing the security policies of 679 PyPI Python libraries hosted on GitHub. We examine the characteristics and content of existing policies and investigate the relationship with project characteristics and recommended security practices by comparing security practice assessments between projects with and without established security policies. The result indicates that projects with security.md shows stronger recommended security practices. This study highlights the importance of adopting a clear and comprehensive security policy to enhance the overall security practices of open-source projects.