A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf
.
The Sound of Silence: Mining Security Vulnerabilities from Secret Integration Channels in Open-Source Projects
[article]
2020
pre-print
Public development processes are a key characteristic of open source projects. However, fixes for vulnerabilities are usually discussed privately among a small group of trusted maintainers, and integrated without prior public involvement. This is supposed to prevent early disclosure, and cope with embargo and non-disclosure agreement (NDA) rules. While regular development activities leave publicly available traces, fixes for vulnerabilities that bypass the standard process do not. We present a
doi:10.1145/3411495.3421360
arXiv:2009.01694v1
fatcat:qzb73lyblrd23kepyrlconxt4y