{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,5]],"date-time":"2026-07-05T21:52:06Z","timestamp":1783288326949,"version":"3.54.6"},"reference-count":63,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2023,2,16]],"date-time":"2023-02-16T00:00:00Z","timestamp":1676505600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,2,16]],"date-time":"2023-02-16T00:00:00Z","timestamp":1676505600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2023,3]]},"DOI":"10.1007\/s10664-022-10267-7","type":"journal-article","created":{"date-parts":[[2023,2,16]],"date-time":"2023-02-16T10:03:07Z","timestamp":1676541787000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Vulnerability management in Linux distributions"],"prefix":"10.1007","volume":"28","author":[{"given":"Jiahuei","family":"Lin","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3921-1724","authenticated-orcid":false,"given":"Haoxiang","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bram","family":"Adams","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ahmed E.","family":"Hassan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2023,2,16]]},"reference":[{"issue":"3","key":"10267_CR1","doi-asserted-by":"publisher","first-page":"960","DOI":"10.1007\/s10664-015-9371-y","volume":"21","author":"B Adams","year":"2016","unstructured":"Adams B, Kavanagh R, Hassan AE, German DM (2016) An empirical study of integration activities in distributions of open source software. Empirical Software Engineering (EMSE\u201916) 21(3):960\u20131001","journal-title":"Empirical Software Engineering (EMSE\u201916)"},{"issue":"4","key":"10267_CR2","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1109\/MSP.2015.72","volume":"13","author":"B Al Sabbagh","year":"2015","unstructured":"Al Sabbagh B, Kowalski S (2015) A socio-technical framework for threat modeling a software supply chain. IEEE Security & Privacy 13(4):30\u201339","journal-title":"IEEE Security & Privacy"},{"issue":"3","key":"10267_CR3","first-page":"71","volume":"8","author":"A Algarni","year":"2014","unstructured":"Algarni A, Malaiya Y (2014) Software vulnerability markets: Discoverers and buyers. Int J Comput Inf Sci Eng 8(3):71\u201381","journal-title":"Int J Comput Inf Sci Eng"},{"issue":"1","key":"10267_CR4","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1109\/TR.2008.916872","volume":"57","author":"OH Alhazmi","year":"2008","unstructured":"Alhazmi OH, Malaiya YK (2008) Application of vulnerability discovery models to major operating systems. IEEE Trans Reliab 57(1):14\u201322","journal-title":"IEEE Trans Reliab"},{"key":"10267_CR5","volume-title":"Security in open versus closed systems\u2014the dance of boltzmann, coase and moore. Tech. rep., Technical report","author":"R Anderson","year":"2002","unstructured":"Anderson R (2002) Security in open versus closed systems\u2014the dance of boltzmann, coase and moore. Tech. rep., Technical report. Cambridge University, England"},{"key":"10267_CR6","doi-asserted-by":"crossref","unstructured":"Bilge L, Dumitra\u015f T (2012) Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM conference on Computer and communications security (CCS\u201912), pp 833\u2013844","DOI":"10.1145\/2382196.2382284"},{"key":"10267_CR7","unstructured":"Christey S, Martin B (2013) Buying into the bias: Why vulnerability statistics suck. Blackhat, Las Vegas, USA, Tech, Rep 1"},{"key":"10267_CR8","unstructured":"CVE (online) https:\/\/cve.mitre.org\/. Last accessed: 2021-06-02"},{"key":"10267_CR9","unstructured":"da Costa DA, Abebe SL, McIntosh S, Kulesza U, Hassan AE (2014) An empirical study of delays in the integration of addressed issues. In: Proc. of the 30th int\u2019l conf. on software maintenance and evolution (ICSME\u201914), pp 281\u2013290"},{"key":"10267_CR10","unstructured":"Debian continuous integration (online) https:\/\/ci.debian.net\/doc\/. Last accessed: 2021-06-02"},{"key":"10267_CR11","unstructured":"Debian long term support (online) https:\/\/wiki.debian.org\/LTS. Last accessed: 2021-06-02"},{"key":"10267_CR12","unstructured":"Debian packages (online) https:\/\/packages.debian.org\/stable\/. Last accessed: 2021-06-02"},{"key":"10267_CR13","unstructured":"Debian releases (online) https:\/\/www.debian.org\/releases\/. Last accessed: 2021-06-02"},{"key":"10267_CR14","unstructured":"Debian security faq (online) https:\/\/www.debian.org\/security. Last accessed: 2021-06-02"},{"key":"10267_CR15","unstructured":"Debian security faq (online) https:\/\/www.debian.org\/security\/faq. Last accessed: 2021-06-02"},{"key":"10267_CR16","unstructured":"Debian security team (online) https:\/\/security-team.debian.org\/security_tracker.html. Last accessed: 2021-06-02"},{"key":"10267_CR17","unstructured":"Debian vulnerability disclosure policy (online) https:\/\/www.debian.org\/security\/disclosure-policy. Last accessed: 2021-06-02"},{"key":"10267_CR18","doi-asserted-by":"crossref","unstructured":"Duc AN, Cruzes DS, Ayala C, Conradi R (2011) Impact of stakeholder type and collaboration on issue resolution time in OSS projects. In: IFIP International conference on open source systems, pp 1\u201316. Springer","DOI":"10.1007\/978-3-642-24418-6_1"},{"key":"10267_CR19","unstructured":"Ellison RJ, Goodenough JB, Weinstock CB, Woody C (2010) Evaluating and mitigating software supply chain security risks. Tech. rep. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst"},{"key":"10267_CR20","unstructured":"Fedora - packagekit items not found (online) https:\/\/docs.fedoraproject.org\/en-US\/quick-docs\/packagekit-not-found\/. Last accessed: 2021-06-02"},{"key":"10267_CR21","unstructured":"Fedora - security basics (online) https:\/\/fedoraproject.org\/wiki\/SecurityBasics#Subscribing_to_Security_Announcement_Services. Last accessed: 2021-06-02"},{"key":"10267_CR22","unstructured":"Fedora - security bugs (online) https:\/\/fedoraproject.org\/wiki\/Security_Bugs. Last accessed: 2021-06-02"},{"key":"10267_CR23","unstructured":"Fedora - update policy (online) https:\/\/docs.fedoraproject.org\/en-US\/fesco\/Updates_Policy\/. Last accessed: 2021-06-02"},{"key":"10267_CR24","unstructured":"Fedora package sources (online) https:\/\/src.fedoraproject.org\/?page=1&sorting=None. Last accessed: 2021-06-02"},{"key":"10267_CR25","unstructured":"Fedora release life cycle (online) https:\/\/fedoraproject.org\/wiki\/Fedora_Release_Life_Cycle. Last accessed: 2021-06-02"},{"issue":"3","key":"10267_CR26","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-020-09929-1","volume":"26","author":"A Foundjem","year":"2021","unstructured":"Foundjem A, Adams B (2021) Release synchronization in software ecosystems. Empir Softw Eng 26(3):1\u201350","journal-title":"Empir Softw Eng"},{"key":"10267_CR27","doi-asserted-by":"crossref","unstructured":"Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense (LSAD\u201906), pp 131\u2013138","DOI":"10.1145\/1162666.1162671"},{"key":"10267_CR28","unstructured":"Frei S, Tellenbach B, Plattner B (2008) 0-day patch exposing vendors (in) security performance. BlackHat Europe"},{"key":"10267_CR29","doi-asserted-by":"crossref","unstructured":"Fruhwirth C, Mannisto T (2009) Improving CVSS-based vulnerability prioritization and response with context information. In: 2009 3Rd international symposium on empirical software engineering and measurement, pp 535\u2013544. IEEE","DOI":"10.1109\/ESEM.2009.5314230"},{"key":"10267_CR30","unstructured":"Github - securing the world\u2019s software (online) https:\/\/octoverse.github.com\/static\/github-octoverse-2020-security-report.pdf. Last accessed: 2021-06-02"},{"key":"10267_CR31","unstructured":"Guidelines and practices for multi-party vulnerability coordination and disclosure (online) https:\/\/www.first.org\/global\/sigs\/vulnerability-coordination\/multiparty\/guidelines-v1.1. Last accessed: 2021-06-02"},{"key":"10267_CR32","unstructured":"Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM et al (2018) Automated software vulnerability detection with machine learning. arXiv:1803.04497"},{"key":"10267_CR33","doi-asserted-by":"crossref","unstructured":"Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: Neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP\u201916), pp 618\u2013 635. IEEE","DOI":"10.1109\/SP.2016.43"},{"key":"10267_CR34","doi-asserted-by":"crossref","unstructured":"Jiang Y, Adams B, German DM (2013) Will my patch make it? and how fast? case study on the linux kernel 2013 10Th working conference on mining software repositories (MSR\u201913), pp 101\u2013110. IEEE","DOI":"10.1109\/MSR.2013.6624016"},{"key":"10267_CR35","unstructured":"Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 international conference on security and management (SAM\u201911), vol 1, pp 10\u201316"},{"key":"10267_CR36","unstructured":"Kakimoto T, Kamei Y, Ohira M, Matsumoto K (2006) Social network analysis on communications for knowledge collaboration in OSS communities. In: Proceedings of the international workshop on supporting knowledge collaboration in software development (KCSD\u201906), pp 35\u201341. Citeseer"},{"issue":"6","key":"10267_CR37","doi-asserted-by":"publisher","first-page":"1071","DOI":"10.1111\/1539-6924.00274","volume":"22","author":"A Klinke","year":"2002","unstructured":"Klinke A, Renn O (2002) A new approach to risk evaluation and management: Risk-based, precaution-based, and discourse-based strategies 1. Risk Analysis: An Int J 22(6):1071\u20131094","journal-title":"Risk Analysis: An Int J"},{"issue":"1","key":"10267_CR38","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies?. Empir Softw Eng 23(1):384\u2013417","journal-title":"Empir Softw Eng"},{"key":"10267_CR39","doi-asserted-by":"crossref","unstructured":"Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS\u201917), pp 2201\u20132215","DOI":"10.1145\/3133956.3134072"},{"key":"10267_CR40","unstructured":"LTS development (online) https:\/\/wiki.debian.org\/LTS\/Development#Prepare_security_updates_for_LTS. Last accessed: 2021-06-02"},{"key":"10267_CR41","doi-asserted-by":"crossref","unstructured":"Ma W, Chen L, Zhang X, Zhou Y, Xu B (2017) How do developers fix cross-project correlated bugs? a case study on the github scientific python ecosystem. In: 2017 IEEE\/ACM 39Th international conference on software engineering (ICSE\u201917), pp 381\u2013392. IEEE","DOI":"10.1109\/ICSE.2017.42"},{"key":"10267_CR42","doi-asserted-by":"crossref","unstructured":"Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE Symposium on security and privacy, pp 692\u2013708. IEEE","DOI":"10.1109\/SP.2015.48"},{"key":"10267_CR43","unstructured":"National vulnerability database (online) https:\/\/nvd.nist.gov\/. Last accessed: 2021-06-02"},{"key":"10267_CR44","doi-asserted-by":"crossref","unstructured":"Ohm M, Plate H, Sykosch A, Meier M (2020) Backstabber\u2019s knife collection: a review of open source software supply chain attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment (DIMVA\u201920), pp 23\u201343. Springer","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"10267_CR45","unstructured":"Operating system distribution security contact lists (online) https:\/\/oss-security.openwall.org\/wiki\/mailing-lists\/distros. Last accessed: 2021-06-02"},{"key":"10267_CR46","unstructured":"Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age?. In: USENIX Security symposium, vol 6"},{"key":"10267_CR47","doi-asserted-by":"crossref","unstructured":"Ramsauer R, Bulwahn L, Lohmann D, Mauerer W (2020) The sound of silence: Mining security vulnerabilities from secret integration channels in open-source projects. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW\u201920), pp 147\u2013157","DOI":"10.1145\/3411495.3421360"},{"issue":"3","key":"10267_CR48","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/s12130-999-1026-0","volume":"12","author":"E Raymond","year":"1999","unstructured":"Raymond E (1999) The cathedral and the bazaar. Knowledge, Technology & Policy 12(3):23\u201349","journal-title":"Knowledge, Technology & Policy"},{"key":"10267_CR49","unstructured":"Reasons to use debian (online) https:\/\/www.debian.org\/intro\/why_debian. Last accessed: 2021-06-02"},{"key":"10267_CR50","doi-asserted-by":"crossref","unstructured":"Ristov S, Gusev M, Donevski A (2013) Openstack cloud security vulnerabilities from inside and outside. Cloud Computing, 101\u2013107","DOI":"10.1145\/2490257.2490285"},{"key":"10267_CR51","doi-asserted-by":"crossref","unstructured":"Russell R, Kim L, Hamilton L, Lazovich T, Harer J, Ozdemir O, Ellingwood P, McConley M (2018) Automated vulnerability detection in source code using deep representation learning. In: 2018 17Th IEEE international conference on machine learning and applications (ICMLA\u201918), pp 757\u2013762. IEEE","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"10267_CR52","doi-asserted-by":"crossref","unstructured":"Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: 2009 Fifth international conference on IT security incident management and IT forensics (IMF\u201909), pp 153\u2013168. IEEE","DOI":"10.1109\/IMF.2009.15"},{"key":"10267_CR53","unstructured":"Securing debian manual - before the compromise (online) https:\/\/www.debian.org\/doc\/manuals\/securing-debian-manual\/ch10.en.html#security-support-testing. Last accessed: 2021-06-02"},{"key":"10267_CR54","doi-asserted-by":"crossref","unstructured":"Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34Th international conference on software engineering (ICSE\u201912), pp 771\u2013781. IEEE","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"10267_CR55","unstructured":"The hidden costs of embargoes (online) https:\/\/access.redhat.com\/blogs\/766093\/posts\/1976653. Last accessed: 2021-06-02"},{"key":"10267_CR56","doi-asserted-by":"crossref","unstructured":"Telang R, Wattal S (2005) Impact of software vulnerability announcements on the market value of software vendors-an empirical investigation. Available at SSRN 677427","DOI":"10.2139\/ssrn.677427"},{"key":"10267_CR57","unstructured":"US national institute of standards and technology (online) CVSS information. https:\/\/nvd.nist.gov\/vuln-metrics\/cvss. Last accessed: 2021-06-02"},{"key":"10267_CR58","unstructured":"Wang S, Nagappan N (2019) Characterizing and understanding software developer networks in security development. arXiv:1907.12141"},{"key":"10267_CR59","doi-asserted-by":"crossref","unstructured":"Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting \u201c0-day\u201d vulnerability: an empirical study of secret security patch in OSS. In: 2019 49Th annual IEEE\/IFIP international conference on dependable systems and networks (DSN\u201919), pp 485\u2013492. IEEE","DOI":"10.1109\/DSN.2019.00056"},{"key":"10267_CR60","doi-asserted-by":"crossref","unstructured":"Yilek S, Rescorla E, Shacham H, Enright B, Savage S (2009) When private keys are public: Results from the 2008 Debian openSSL vulnerability. In: Proceedings of the 9th ACM Conference on Internet Measurement (IMC\u201909), pp 15\u201327","DOI":"10.1145\/1644893.1644896"},{"key":"10267_CR61","doi-asserted-by":"crossref","unstructured":"Yin Z, Yuan D, Zhou Y, Pasupathy S, Bairavasundaram L (2011) How do fixes become bugs?. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering (FSE\u201911), pp 26\u201336","DOI":"10.1145\/2025113.2025121"},{"key":"10267_CR62","doi-asserted-by":"crossref","unstructured":"Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories (MSR\u201911), pp 93\u2013102","DOI":"10.1145\/1985441.1985457"},{"key":"10267_CR63","unstructured":"Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of c\/C+ + code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE\u201921)"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10267-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-022-10267-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10267-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,4,3]],"date-time":"2023-04-03T07:07:04Z","timestamp":1680505624000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-022-10267-7"}},"subtitle":["An empirical study on Debian and Fedora"],"short-title":[],"issued":{"date-parts":[[2023,2,16]]},"references-count":63,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,3]]}},"alternative-id":["10267"],"URL":"https:\/\/doi.org\/10.1007\/s10664-022-10267-7","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,16]]},"assertion":[{"value":"25 November 2022","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 February 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"<!--Emphasis Type='Bold' removed-->Conflict of Interests"}}],"article-number":"47"}}