{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T06:37:16Z","timestamp":1772606236189,"version":"3.50.1"},"reference-count":50,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2015,9,15]],"date-time":"2015-09-15T00:00:00Z","timestamp":1442275200000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2016,10]]},"DOI":"10.1007\/s10664-015-9403-7","type":"journal-article","created":{"date-parts":[[2015,9,15]],"date-time":"2015-09-15T04:59:43Z","timestamp":1442293183000},"page":"1920-1959","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["Game of detections: how are security vulnerabilities discovered in the wild?"],"prefix":"10.1007","volume":"21","author":[{"given":"Munawar","family":"Hafiz","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ming","family":"Fang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2015,9,15]]},"reference":[{"key":"9403_CR1","doi-asserted-by":"crossref","unstructured":"Alhazmi O, Malaiya Y (2006) Prediction capabilities of vulnerability discovery models. In: RAMS\u201906. IEEE Computer Society","DOI":"10.1109\/RAMS.2006.1677355"},{"key":"9403_CR2","doi-asserted-by":"crossref","unstructured":"Anbalagan P, Vouk M (2009) Towards a unifying approach in understanding security problems. In: ISSRE\u201909. IEEE Press","DOI":"10.1109\/ISSRE.2009.25"},{"key":"9403_CR3","doi-asserted-by":"crossref","unstructured":"Aranda J, Venolia G (2009) The secret life of bugs: Going past the errors and omissions in software repositories. In: ICSE \u201909. IEEE Computer Society","DOI":"10.1109\/ICSE.2009.5070530"},{"issue":"12","key":"9403_CR4","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1109\/2.889093","volume":"33","author":"W Arbaugh","year":"2000","unstructured":"Arbaugh W, Fithen W, McHugh J (2000) Windows of vulnerability: A case study analysis. Computer 33(12):52\u201359","journal-title":"Computer"},{"key":"9403_CR5","unstructured":"Arora A, Krishnan R, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability - An empirical analysis. In: WEIS \u201904"},{"key":"9403_CR6","doi-asserted-by":"crossref","unstructured":"Austin A, Williams L (2011) One technique is not enough: A comparison of vulnerability discovery techniques. In: ESEM \u201911","DOI":"10.1109\/ESEM.2011.18"},{"issue":"3","key":"9403_CR7","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1002\/spe.2109","volume":"43","author":"D Baca","year":"2013","unstructured":"Baca D, Carlsson B, Petersen K, Lundberg L (2013) Improving software security with static automated code analysis in an industry setting. Software\u2014Practice and Experience 43(3):259\u2013279","journal-title":"Software\u2014Practice and Experience"},{"issue":"2","key":"9403_CR8","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1145\/1646353.1646374","volume":"53","author":"A Bessey","year":"2010","unstructured":"Bessey A, Block K, Chelf B, Chou A, Fulton B, Hallem S, Henri-Gros C, Kamsky A, McPeak S, Engler D (2010) A few billion lines of code later: Using static analysis to find bugs in the real world. Commun ACM 53(2):66\u201375","journal-title":"Commun ACM"},{"key":"9403_CR9","doi-asserted-by":"crossref","unstructured":"Bosu A, Carver JC, Hafiz M, Hilley P, Janni D (2014) Identifying the characteristics of vulnerable code changes: An empirical study. In: 22nd ACM SIGSOFT international symposium on the foundations of software engineering, p To appear","DOI":"10.1145\/2635868.2635880"},{"key":"9403_CR10","doi-asserted-by":"crossref","unstructured":"Browne H, Arbaugh W, McHugh J, Fithen W (2001) A trend analysis of exploitations. In: IEEE S&P \u201901. IEEE Computer Society","DOI":"10.1109\/SECPRI.2001.924300"},{"key":"9403_CR11","unstructured":"Cheswick B (1992) An evening with berferd in which a cracker is lured, endured, and studied. In: Proc. Winter USENIX Conference, pp 163\u2013174"},{"key":"9403_CR12","doi-asserted-by":"crossref","unstructured":"Cova M, Leita C, Thonnard O, Keromytis A, Dacier M (2010) An analysis of rogue AV campaigns. In: Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID\u201910. Springer-Verlag, Berlin, Heidelberg, pp 442\u2013463","DOI":"10.1007\/978-3-642-15512-3_23"},{"key":"9403_CR13","unstructured":"Denzin N (1978) The Research Act: A Theoretical Introduction to Sociological Methods. McGraw-Hill, New York"},{"key":"9403_CR14","doi-asserted-by":"crossref","unstructured":"Doup\u00e9 A, Cova M, Vigna G (2010) Why Johnny can\u2019t Pentest: An analysis of black-box web vulnerability scanners. In: DIMVA \u201910. Springer","DOI":"10.1007\/978-3-642-14215-4_7"},{"key":"9403_CR15","doi-asserted-by":"crossref","unstructured":"Edmundson A, Holtkamp B, Rivera E, Finifter M, Mettler A, Wagner D (2013) An empirical study on the effectiveness of security code review. In: ESSoS \u201913, Lecture Notes in Computer Science, vol 7781, pp 197\u2013212. Springer Berlin Heidelberg","DOI":"10.1007\/978-3-642-36563-8_14"},{"key":"9403_CR16","doi-asserted-by":"crossref","unstructured":"Fang M, Hafiz M (2014) Discovering buffer overflow vulnerabilities in the wild: an empirical study. In: Morisio M, Dyb\u00e5 T, Torchiano M (eds) 2014 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM \u201914, Torino, Italy, September 18\u201319, 2014, p 23. ACM","DOI":"10.1145\/2652524.2652533"},{"key":"9403_CR17","unstructured":"Finifter M, Akhawe D, Wagner D (2013) An empirical study of vulnerability rewards programs. In: USENIX Security\u2019 13. USENIX Association"},{"key":"9403_CR18","unstructured":"Franklin J, Perrig A, Paxson V, Savage S (2007) An inquiry into the nature and causes of the wealth of internet miscreants. In: Ning P, di Vimercati SDC, Syverson PF (eds) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, pp 375\u2013388. ACM"},{"key":"9403_CR19","unstructured":"Frei S, Schatzmann D, Plattner B, Trammell B (2009) Modelling the security ecosystem- The dynamics of (in)security. In: WEIS \u201909"},{"key":"9403_CR20","unstructured":"Frei S, Tellenbach B, Plattner B (2008) 0-day patch - Exposing vendors\u2019 (In)security performance. BlackHat Europe"},{"key":"9403_CR21","unstructured":"Gopalakrishna R, Spafford E (2005) A trend analysis of vulnerabilities. Tech. rep., CERIAS"},{"key":"9403_CR22","doi-asserted-by":"crossref","unstructured":"Johnson B, Song Y, Murphy-Hill E, Bowdidge R (2013) Why don\u2019t software developers use static analysis tools to find bugs?. In: ICSE \u201913. ACM","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"9403_CR23","doi-asserted-by":"crossref","unstructured":"Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM conference on computer and communications security, CCS \u201908. ACM, New York, NY, USA, pp 3\u201314","DOI":"10.1145\/1455770.1455774"},{"key":"9403_CR24","unstructured":"Krippendorff K (2004) Content Analysis: An Introduction to Its Methodology. Sage Publications Ltd., Singapore"},{"key":"9403_CR25","doi-asserted-by":"crossref","unstructured":"Layman L, Williams L, Amant R (2007) Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools. In: ESEM \u201907. IEEE Computer Society","DOI":"10.1109\/ESEM.2007.11"},{"key":"9403_CR26","doi-asserted-by":"crossref","unstructured":"Massacci F, Nguyen V (2010) Which is the right source for vulnerability studies?: An empirical analysis on mozilla firefox. In: MetriSec \u201910. ACM","DOI":"10.1145\/1853919.1853925"},{"key":"9403_CR27","unstructured":"McGraw G, Steven J (2011) Software [In]security: Comparing apples, oranges, and aardvarks (or, all static analysis tools are not created equal). http:\/\/www.informit.com\/articles\/article.aspx?p=1680863"},{"key":"9403_CR28","unstructured":"McQueen M, McQueen T, Boyer W, Chaffin M (2009) Empirical estimates and observations of 0-day vulnerabilities. In: HICSS \u201909, pp 1 \u201312"},{"key":"9403_CR29","doi-asserted-by":"crossref","unstructured":"Meiklejohn S, Pomarole M, Jordan G, Levchenko K, McCoy D, Voelker GM, Savage S (2013) A fistful of bitcoins: Characterizing payments among men with no names. In: Proceedings of the 2013 conference on internet measurement conference, IMC \u201913. ACM, New York, NY, USA, pp 127\u2013140","DOI":"10.1145\/2504730.2504747"},{"key":"9403_CR30","unstructured":"Mell P, Scarfone K, Romanosky S (2007) CVSS: A complete guide to the Common Vulnerability Scoring System Version 2.0. Tech. rep., FIRST.org"},{"key":"9403_CR31","first-page":"109","volume":"3","author":"H Okhravi","year":"2008","unstructured":"Okhravi H, Nicol D (2008) Evaluation of patch management strategies. Int J Comput Intell Theory Pract 3:109\u2013117","journal-title":"Int J Comput Intell Theory Pract"},{"key":"9403_CR32","unstructured":"Open Web Application Security Project (OWASP) (2014) Owasp top ten 2013 project. https:\/\/www.owasp.org\/index.php\/Top_10_2013-Table_of_Contents"},{"key":"9403_CR33","unstructured":"Patton M (2001) Qualitative Research & Evaluation Methods, 3 edn. Sage Publications Ltd., Singapore"},{"key":"9403_CR34","doi-asserted-by":"crossref","unstructured":"Rutar N, Almazan C, Foster J (2004) A comparison of bug finding tools for Java. In: ISSRE \u201904. IEEE Computer Society","DOI":"10.1109\/ISSRE.2004.1"},{"key":"9403_CR35","unstructured":"Saldana J (2009) The Coding Manual for Qualitative Researchers. Sage Publications Ltd, Singapore"},{"key":"9403_CR36","doi-asserted-by":"crossref","unstructured":"Scandariato R, Walden J, Joosen W (2013) Static analysis versus penetration testing: A controlled experiment. In: 2013 IEEE 24th international symposium on software reliability engineering (ISSRE), pp 451\u2013460","DOI":"10.1109\/ISSRE.2013.6698898"},{"key":"9403_CR37","unstructured":"Schneier B (2000) Full disclosure and the window of exposure. Crypto-Gram Newsletter"},{"key":"9403_CR38","doi-asserted-by":"crossref","unstructured":"Scholte T, Balzarotti D, Kirda E (2012) Quo vadis? A study of the evolution of input validation vulnerabilities in web applications. In: FC\u201911. Springer-Verlag","DOI":"10.1007\/978-3-642-27576-0_24"},{"key":"9403_CR39","doi-asserted-by":"crossref","unstructured":"Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: IMF","DOI":"10.1109\/IMF.2009.15"},{"key":"9403_CR40","unstructured":"SecurityFocus Bugtraq vulnerability list. http:\/\/www.securityfocus.com\/"},{"key":"9403_CR41","doi-asserted-by":"crossref","unstructured":"Shahzad M, Shafiq M, Liu A (2012) A large scale exploratory analysis of software vulnerability life cycles. In: ICSE \u201912. IEEE Press","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"9403_CR42","doi-asserted-by":"crossref","unstructured":"Suto L (2007) Analyzing the effectiveness and coverage of Web application security scanners. Tech. rep., eEye Digital Security","DOI":"10.1016\/S1353-4858(07)70094-6"},{"key":"9403_CR43","unstructured":"TippingPoint Zero Day Initiative (ZDI). http:\/\/www.zerodayinitiative.com\/"},{"key":"9403_CR44","unstructured":"Verisign iDefense security intelligence services. http:\/\/www.verisigninc.com\/en_US\/products-and-services\/network-intelligence-availability\/idefense\/index.xhtml"},{"key":"9403_CR45","unstructured":"Weinstein M (2012) TAMS Analyzer for Macintosh OS X: The native open source, Macintosh qualitative research tool"},{"key":"9403_CR46","unstructured":"Wilander J, Kamkar M (2003) A comparison of publicly available tools for dynamic buffer overflow prevention. In: NDSS \u201903. The Internet Society"},{"key":"9403_CR47","doi-asserted-by":"crossref","unstructured":"Wu Y, Gandhi R, Siy H (2010) Using semantic templates to study vulnerabilities recorded in large software repositories. In: SESS \u201910. ACM","DOI":"10.1145\/1809100.1809104"},{"key":"9403_CR48","doi-asserted-by":"crossref","unstructured":"Xiao S, Witschey J, Murphy-Hill E (2014) Social influences on secure development tool adoption: Why security tools spread. In: CSCW \u201914. ACM, New York, NY, USA, pp 1095\u20131106","DOI":"10.1145\/2531602.2531722"},{"key":"9403_CR49","unstructured":"Yin R (2011) Case Study Research: Design and Methods. Sage Publications Ltd, Singapore"},{"key":"9403_CR50","doi-asserted-by":"crossref","unstructured":"Zhang S, Caragea D, Ou X (2011) An empirical study on using the national vulnerability database to predict software vulnerabilities. In: DEXA \u201911. Springer","DOI":"10.1007\/978-3-642-23088-2_15"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-015-9403-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10664-015-9403-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-015-9403-7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,9,8]],"date-time":"2020-09-08T09:21:35Z","timestamp":1599556895000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10664-015-9403-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,9,15]]},"references-count":50,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2016,10]]}},"alternative-id":["9403"],"URL":"https:\/\/doi.org\/10.1007\/s10664-015-9403-7","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,9,15]]}}}