On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub

Kancharoendee S.; Phichitphanphong T.; Jongyingyos C.; Reid B.; Kula R.G.; Choetkiertikul M.; Ragkhitwetsagul C.; Sunetnanta T.

On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub

6

Issued Date

2025-01-01

Resource Type

Conference Paper

DOI

10.1109/SANER64311.2025.00076

Scopus ID

2-s2.0-105007294519

Journal Title

Proceedings 2025 IEEE International Conference on Software Analysis Evolution and Reengineering Saner 2025

Start Page

751

End Page

756

Rights Holder(s)

SCOPUS

Bibliographic Citation

Proceedings 2025 IEEE International Conference on Software Analysis Evolution and Reengineering Saner 2025 (2025) , 751-756

Suggested Citation

Kancharoendee S., Phichitphanphong T., Jongyingyos C., Reid B., Kula R.G., Choetkiertikul M., Ragkhitwetsagul C., Sunetnanta T. On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub. Proceedings 2025 IEEE International Conference on Software Analysis Evolution and Reengineering Saner 2025 (2025) , 751-756. 756. doi:10.1109/SANER64311.2025.00076 Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/110647

Title

On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub

Author(s)

Kancharoendee S.
Phichitphanphong T.
Jongyingyos C.
Reid B.
Kula R.G.
Choetkiertikul M.
Ragkhitwetsagul C.
Sunetnanta T.

Author's Affiliation

The University of Osaka
Nara Institute of Science and Technology
Mahidol University

Corresponding Author(s)

Kancharoendee S.

Other Contributor(s)

Mahidol University

Abstract

Open-source projects are essential to software de-velopment, but publicly disclosing vulnerabilities without fixes increases the risk of exploitation. The Open Source Security Foundation (OpenS SF) addresses this issue by promoting robust security policies to enhance project security. Current research reveals that many projects perform poorly on OpenS SF criteria, indicating a need for stronger security practices and underscoring the value of SECURITY.md files for structured vulnerability re-porting. This study aims to provide recommendations for improving security policies. By examining 679 open-source projects, we find that email is still the main source of reporting. Furthermore, we find that projects without SECURITY.md files tend to be less secure (lower OpenSSF scores). Our analysis also indicates that, although many maintainers encourage private reporting methods, some contributors continue to disclose vulnerabilities publicly, bypassing established protocols. The results from this preliminary study pave the way for understanding how developers react and communicate a potential security threat. Future challenges include understanding the impact and effectiveness of these mechanisms and what factors may influence how the security threat is addressed.

Keyword(s)

Computer Science
Engineering

URI

https://repository.li.mahidol.ac.th/handle/123456789/110647

Collections

Scopus 2025

Full item page

Send Feedback

	Office Hour: Monday-Friday 08.30-12.00 and 13.00-16.30 hrs.
	Phutthamonthon Sai 4 Rd. Salaya, Nakhon Pathom 73170, Thailand
	The office: +66 (2) 800 2680 ext.4306
	thipsuda.van@mahidol.ac.th
	https://repository.li.mahidol.ac.th