{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,16]],"date-time":"2025-10-16T03:53:24Z","timestamp":1760586804884,"version":"3.37.3"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2016,8,18]],"date-time":"2016-08-18T00:00:00Z","timestamp":1471478400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2016,8,18]],"date-time":"2016-08-18T00:00:00Z","timestamp":1471478400000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-1441444"],"award-info":[{"award-number":["CCF-1441444"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2017,6]]},"DOI":"10.1007\/s10664-016-9447-3","type":"journal-article","created":{"date-parts":[[2016,8,18]],"date-time":"2016-08-18T03:37:30Z","timestamp":1471491450000},"page":"1305-1347","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":18,"title":["Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project"],"prefix":"10.1007","volume":"22","author":[{"given":"Nuthan","family":"Munaiah","sequence":"first","affiliation":[]},{"given":"Felivel","family":"Camilo","sequence":"additional","affiliation":[]},{"given":"Wesley","family":"Wigham","sequence":"additional","affiliation":[]},{"given":"Andrew","family":"Meneely","sequence":"additional","affiliation":[]},{"given":"Meiyappan","family":"Nagappan","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2016,8,18]]},"reference":[{"issue":"3","key":"9447_CR1","first-page":"71","volume":"8","author":"A Algarni","year":"2014","unstructured":"Algarni A, Malaiya Y (2014) Software vulnerability markets: Discoverers and buyers. Inter J Comp Inf Scie Engin 8(3):71\u201381","journal-title":"Inter J Comp Inf Scie Engin"},{"key":"9447_CR2","doi-asserted-by":"publisher","unstructured":"Allodi L, Massacci F (2012a) A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. In: Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security - BADGERS \u201912, p 17. doi:\n                    http:\/\/dx.doi.org\/10.1145\/2382416.2382427","DOI":"10.1145\/2382416.2382427"},{"key":"9447_CR3","doi-asserted-by":"crossref","unstructured":"Allodi L, Massacci F (2012b) A Preliminary Analysis of Vulnerability Scores for Attacks in Wild: The EKITS and SYM Datasets. In: Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security, ACM, pp 17\u201324","DOI":"10.1145\/2382416.2382427"},{"issue":"1","key":"9447_CR4","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2630069","volume":"17","author":"L Allodi","year":"2014","unstructured":"Allodi L, Massacci F (2014) Comparing vulnerability severity and exploits using case-control studies. ACM Trans Inf Syst Secur 17(1):1","journal-title":"ACM Trans Inf Syst Secur"},{"key":"9447_CR5","doi-asserted-by":"crossref","unstructured":"Allodi L, Shim W, Massacci F (2013) Quantitative assessment of risk reduction with cybercrime black market monitoring. In: Security and Privacy Workshops (SPW), 2013 IEEE, IEEE, pp 165\u2013172","DOI":"10.1109\/SPW.2013.16"},{"key":"9447_CR6","doi-asserted-by":"crossref","unstructured":"Bird C, Menzies T, Zimmermann T (2015) The Art and Science of Analyzing Software Data: Analysis Patterns. Elsevier Science","DOI":"10.1016\/B978-0-12-411519-4.00001-X"},{"key":"9447_CR7","doi-asserted-by":"publisher","unstructured":"Bozorgi M, Saul LK, Savage S, Voelker GM (2010) Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. In: Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, pp 105\u2013114. doi:\n                    http:\/\/dx.doi.org\/10.1145\/1835804.1835821","DOI":"10.1145\/1835804.1835821"},{"issue":"2","key":"9447_CR8","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1177\/0049124104268644","volume":"33","author":"KP Burnham","year":"2004","unstructured":"Burnham KP, Anderson DR (2004) Multimodel inference understanding aic and bic in model selection. Sociol Methods Res 33(2):261\u2013304","journal-title":"Sociol Methods Res"},{"key":"9447_CR9","doi-asserted-by":"publisher","unstructured":"Chen TY, Kuo FC, Merkel R (2004) On the statistical properties of the f-measure. In: Quality Software, 2004. QSIC 2004. Proceedings. Fourth International Conference on, pp 146\u2013153. doi:\n                    http:\/\/dx.doi.org\/10.1109\/QSIC.2004.1357955","DOI":"10.1109\/QSIC.2004.1357955"},{"key":"9447_CR10","doi-asserted-by":"publisher","unstructured":"Chen TH, Thomas S, Nagappan M, Hassan A (2012) Explaining software defects using topic models. In: Mining Software Repositories (MSR), 2012 9th IEEE Working Conference on, pp 189\u2013198. doi:\n                    http:\/\/dx.doi.org\/10.1109\/MSR.2012.6224280","DOI":"10.1109\/MSR.2012.6224280"},{"key":"9447_CR11","doi-asserted-by":"crossref","unstructured":"Cohen J (1992) Statistical power analysis. Curr Dir Psychol Sci:98\u2013101","DOI":"10.1111\/1467-8721.ep10768783"},{"key":"9447_CR12","doi-asserted-by":"crossref","unstructured":"Cohen J (2013) Statistical power analysis for the behavioral sciences. Academic press","DOI":"10.4324\/9780203771587"},{"key":"9447_CR13","doi-asserted-by":"publisher","unstructured":"Cruz A, Ochimizu K (2009) Towards logistic regression models for predicting fault-prone code across software projects. doi:\n                    http:\/\/dx.doi.org\/10.1109\/ESEM.2009.5316002\n                    \n                  , pp Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on, pp 460\u2013463","DOI":"10.1109\/ESEM.2009.5316002"},{"key":"9447_CR14","unstructured":"Finifter M, Akhawe D, Wagner D (2013) An Empirical Study of Vulnerability Rewards Programs. In: USENIX Security, vol 13"},{"key":"9447_CR15","doi-asserted-by":"crossref","unstructured":"Gegick M, Williams L, Osborne J, Vouk M (2008) Prioritizing software security fortification throughcode-level metrics. In: Proceedings of the 4th ACM workshop on Quality of protection, ACM, pp 31\u201338","DOI":"10.1145\/1456362.1456370"},{"key":"9447_CR16","doi-asserted-by":"publisher","unstructured":"Gegick M, Rotella P, Williams L (2009) Predicting attack-prone components. In: Software Testing Verification and Validation, 2009. ICST \u201909. International Conference on, pp 181\u2013190. doi:\n                    http:\/\/dx.doi.org\/10.1109\/ICST.2009.36","DOI":"10.1109\/ICST.2009.36"},{"issue":"2","key":"9447_CR17","doi-asserted-by":"publisher","first-page":"147","DOI":"10.1016\/S0304-3800(00)00354-9","volume":"135","author":"A Guisan","year":"2000","unstructured":"Guisan A, Zimmermann NE (2000) Predictive habitat distribution models in ecology. Ecol Model 135(2):147\u2013186","journal-title":"Ecol Model"},{"key":"9447_CR18","doi-asserted-by":"crossref","unstructured":"Krishnamurthy S, Tripathi A K (2006) Bounty programs in free\/libre\/open source software. BITZER Jurgen, The Economics of Open Source Software Development, Lavoisier, Paris","DOI":"10.1016\/B978-044452769-1\/50008-1"},{"key":"9447_CR19","unstructured":"Krsul IV (1998) Software vulnerability analysis, PhD thesis, Purdue University"},{"key":"9447_CR20","doi-asserted-by":"publisher","unstructured":"Meneely A, Srinivasan H, Musa A, Rodriguez Tejeda A, Mokary M, Spates B (2013) When a patch goes bad: Exploring the properties of vulnerability-contributing commits. In: Empirical Software Engineering and Measurement, 2013 ACM \/ IEEE International Symposium on, pp 65\u201374. doi:\n                    http:\/\/dx.doi.org\/10.1109\/ESEM.2013.19","DOI":"10.1109\/ESEM.2013.19"},{"key":"9447_CR21","doi-asserted-by":"publisher","unstructured":"Meneely A, Tejeda ACR, Spates B, Trudeau S, Neuberger D, Whitlock K, Ketant C, Davis K (2014) An empirical investigation of socio-technical code review metrics and security vulnerabilities. In: Proceedings of the 6th International Workshop on Social Software Engineering, ACM, New York, NY, USA, SSE 2014, pp 37\u201344. doi:\n                    http:\/\/dx.doi.org\/10.1145\/2661685.2661687","DOI":"10.1145\/2661685.2661687"},{"key":"9447_CR22","unstructured":"Miller C (2007) The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: In Sixth Workshop on the Economics of Information Security, Citeseer"},{"key":"9447_CR23","doi-asserted-by":"publisher","unstructured":"Mitropoulos D, Gousios G, Spinellis D (2012) Measuring the occurrence of security-related bugs through software evolution. In: Informatics (PCI), 2012 16th Panhellenic Conference on, pp 117\u2013122. doi:\n                    http:\/\/dx.doi.org\/10.1109\/PCi.2012.15","DOI":"10.1109\/PCi.2012.15"},{"key":"9447_CR24","unstructured":"Mitropoulos D, Karakoidas V, Louridas P, Gousios G, Spinellis D (2013) Dismal code: Studying the evolution of security bugs. In: Proceedings of the LASER 2013 (LASER 2013), USENIX, Arlington, VA, pp 37\u201348. \n                    https:\/\/www.usenix.org\/laser2013\/program\/mitropoulos"},{"issue":"3","key":"9447_CR25","first-page":"69","volume":"24","author":"M Mukaka","year":"2012","unstructured":"Mukaka M (2012) A guide to appropriate use of correlation coefficient in medical research. Malawi Med J 24(3):69\u201371","journal-title":"Malawi Med J"},{"key":"9447_CR26","doi-asserted-by":"crossref","unstructured":"Neuhaus S, Zimmermann T, Holler C, Zeller A (2007) Predicting vulnerable software components. In: Proceedings of the 14th ACM conference on Computer and communications security, ACM, pp 529\u2013540","DOI":"10.1145\/1315245.1315311"},{"key":"9447_CR27","doi-asserted-by":"publisher","unstructured":"Poncin W, Serebrenik A, van den Brand M (2011) Process mining software repositories. In: Software Maintenance and Reengineering (CSMR), 2011 15th European Conference on, pp 5\u201314. doi:\n                    http:\/\/dx.doi.org\/10.1109\/CSMR.2011.5","DOI":"10.1109\/CSMR.2011.5"},{"key":"9447_CR28","unstructured":"R Core Team (2015) R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria. \n                    http:\/\/www.R-project.org\/"},{"key":"9447_CR29","doi-asserted-by":"crossref","unstructured":"Radianti J, Gonzalez JJ (2007) Understanding hidden information security threats: The vulnerability black market. In: System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, IEEE, pp 156c\u2013156c","DOI":"10.1109\/HICSS.2007.583"},{"key":"9447_CR30","doi-asserted-by":"publisher","first-page":"111","DOI":"10.2307\/271063","volume":"25","author":"AE Raftery","year":"1995","unstructured":"Raftery AE (1995) Bayesian model selection in social research. Sociol Methodol 25:111\u2013164","journal-title":"Sociol Methodol"},{"issue":"1","key":"9447_CR31","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1037\/1082-989X.13.1.19","volume":"13","author":"J Ruscio","year":"2008","unstructured":"Ruscio J (2008) A probability-based measure of effect size: Robustness to base rates and other factors. Psychol Methods 13(1):19","journal-title":"Psychol Methods"},{"issue":"5","key":"9447_CR32","first-page":"410","volume":"18","author":"NF Schneidewind","year":"1992","unstructured":"Schneidewind NF (1992) Methodology for validating software metrics. Software Engineering. Trans IEEE 18(5):410\u2013422","journal-title":"Trans IEEE"},{"key":"9447_CR33","doi-asserted-by":"crossref","unstructured":"Shihab E, Mockus A, Kamei Y, Adams B, Hassan AE (2011) High-impact defects: a study of breakage and surprise defects. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering, ACM, pp 300\u2013310","DOI":"10.1145\/2025113.2025155"},{"issue":"6","key":"9447_CR34","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Y Shin","year":"2011","unstructured":"Shin Y, Meneely A, Williams L, Osborne J (2011) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans Softw Eng 37(6):772\u2013787. doi:\n                    http:\/\/dx.doi.org\/10.1109\/TSE.2010.81","journal-title":"IEEE Trans Softw Eng"},{"key":"9447_CR35","doi-asserted-by":"crossref","unstructured":"Tantithamthavorn C, McIntosh S, Hassan AE, Ihara A, ichi Matsumoto K (2015) The impact of mislabelling on the performance and interpretation of defect prediction models. In: Proc. of the 37th Int\u2019l Conf. on Software Engineering (ICSE), p To appear","DOI":"10.1109\/ICSE.2015.93"},{"key":"9447_CR36","doi-asserted-by":"publisher","unstructured":"Tegarden D, Sheetz S, Monarchi D (1992) Effectiveness of traditional software metrics for object-oriented systems. In: System Sciences, 1992. Proceedings of the Twenty-Fifth Hawaii International Conference on, vol iv, pp 359\u2013368 vol.4. doi:\n                    http:\/\/dx.doi.org\/10.1109\/HICSS.1992.183365","DOI":"10.1109\/HICSS.1992.183365"},{"key":"9447_CR37","unstructured":"Younis AA, Malaiya YK (2015) Comparing and Evaluating CVSS Base Metrics and Microsoft Rating System. In: 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS), IEEE, pp 252\u2013261"},{"key":"9447_CR38","doi-asserted-by":"publisher","unstructured":"Younis A, Malaiya YK, Ray I (2015) Assessing vulnerability exploitability risk using software properties. Softw Qual J. doi:\n                    http:\/\/dx.doi.org\/10.1007\/s11219-015-9274-6","DOI":"10.1007\/s11219-015-9274-6"},{"issue":"7","key":"9447_CR39","doi-asserted-by":"publisher","first-page":"653","DOI":"10.1093\/arclin\/16.7.653","volume":"16","author":"KK Zakzanis","year":"2001","unstructured":"Zakzanis KK (2001) Statistics to tell the truth, the whole truth, and nothing but the truth: formulae, illustrative numerical examples, and heuristic interpretation of effect size analyses for neuropsychological researchers. Arch Clin Neuropsychol 16(7):653\u2013667","journal-title":"Arch Clin Neuropsychol"},{"key":"9447_CR40","doi-asserted-by":"crossref","unstructured":"Zimmermann T, Nagappan N, Williams L (2010) Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In: 2010 Third International Conference on Software Testing, Verification and Validation (ICST), IEEE, pp 421\u2013428","DOI":"10.1109\/ICST.2010.32"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10664-016-9447-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-016-9447-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-016-9447-3","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-016-9447-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,5,17]],"date-time":"2020-05-17T15:05:45Z","timestamp":1589727945000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10664-016-9447-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,8,18]]},"references-count":40,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,6]]}},"alternative-id":["9447"],"URL":"https:\/\/doi.org\/10.1007\/s10664-016-9447-3","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"type":"print","value":"1382-3256"},{"type":"electronic","value":"1573-7616"}],"subject":[],"published":{"date-parts":[[2016,8,18]]},"assertion":[{"value":"18 August 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}