Time to Discover and Fix Software Vulnerabilities in Open Source Software Projects: Notes on Measurement and Data Availability

Reducing the time taken to discover and fix vulnerabilities in open source software projects is increasingly relevant to technology entrepreneurs and technology managers at all levels of industry. Rigorous research requires access to valid and reliable data on when vulnerabilities were introduced, discovered, and closed. This article offers three contributions about measurement and data availability: (1) an approach to measuring the time to discover and time to fix vulnerabilities in open source software projects, (2) evidence that combining project release histories and metrics from two online databases can provide reliable proxy dates for vulnerability introduction and fix, but not discovery, and (3) possible technical and open collaboration solutions to the data availability limitations of current databases. These results were part of a larger mixed-method study on the relationship between open source project and community attributes and software vulnerabilities with a data set of 1268 vulnerabilities affecting the software produced by 60 open source projects.