{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T04:10:09Z","timestamp":1776399009904,"version":"3.51.2"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T00:00:00Z","timestamp":1698796800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,11,1]],"date-time":"2023-11-01T00:00:00Z","timestamp":1698796800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2023,11]]},"DOI":"10.1007\/s10664-023-10403-x","type":"journal-article","created":{"date-parts":[[2023,11,10]],"date-time":"2023-11-10T11:02:01Z","timestamp":1699614121000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["On the coordination of vulnerability fixes"],"prefix":"10.1007","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7133-2219","authenticated-orcid":false,"given":"Jiahuei","family":"Lin","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bram","family":"Adams","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ahmed E.","family":"Hassan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,11,10]]},"reference":[{"key":"10403_CR1","doi-asserted-by":"crossref","unstructured":"Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in python packages. In: 2021 IEEE International conference on software analysis, evolution and reengineering (SANER\u201921). IEEE, pp 446\u2013457","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"10403_CR2","doi-asserted-by":"crossref","unstructured":"Allodi L (2017) Economic factors of vulnerability trade and exploitation. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1483\u20131499","DOI":"10.1145\/3133956.3133960"},{"issue":"1","key":"10403_CR3","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1287\/isre.1080.0226","volume":"21","author":"A Arora","year":"2010","unstructured":"Arora A, Krishnan R, Telang R, Yang Y (2010) An empirical analysis of software vendors\u2019 patch release behavior: impact of vulnerability disclosure. Inf Syst Res 21(1):115\u2013132","journal-title":"Inf Syst Res"},{"key":"10403_CR4","unstructured":"Arora A, Krishnan R, Nandkumar A, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability-an empirical analysis. In: Third workshop on the economics of information security, vol 24, pp 1268\u20131287"},{"key":"10403_CR5","unstructured":"Bhargava G, Chandini, M (2018) Then and now: on the maturity of the cybercrime markets"},{"key":"10403_CR6","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1016\/j.jweia.2014.03.008","volume":"129","author":"B Blocken","year":"2014","unstructured":"Blocken B (2014) 50 years of computational wind engineering: past, present and future. J Wind Eng Ind Aerodyn 129:69\u2013102","journal-title":"J Wind Eng Ind Aerodyn"},{"issue":"1","key":"10403_CR7","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1109\/TR.2019.2924932","volume":"69","author":"X Chen","year":"2019","unstructured":"Chen X, Zhao Y, Cui Z, Meng G, Liu Y, Wang Z (2019) Large-scale empirical studies on effort-aware security vulnerability prediction methods. IEEE Trans Reliab 69(1):70\u201387","journal-title":"IEEE Trans Reliab"},{"issue":"3","key":"10403_CR8","first-page":"1","volume":"26","author":"B Chinthanet","year":"2021","unstructured":"Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2021) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empirical Software Engineering (EMSE\u201921) 26(3):1\u201328","journal-title":"Empirical Software Engineering (EMSE\u201921)"},{"key":"10403_CR9","unstructured":"CNA (online). https:\/\/www.cve.org\/ProgramOrganization\/CNAs. Last Accessed 05 Feb 2022"},{"key":"10403_CR10","unstructured":"CVE (online). https:\/\/cve.mitre.org\/. Last Accessed 05 Feb 2022"},{"key":"10403_CR11","unstructured":"CWE (online). https:\/\/cwe.mitre.org\/. Last Accessed 05 Feb 2022"},{"key":"10403_CR12","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories (MSR\u201918), pp 181\u2013191","DOI":"10.1145\/3196398.3196401"},{"key":"10403_CR13","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Ulrich F, Whelan R (2016) Lava: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on security and privacy (SP\u201916). IEEE, pp 110\u2013121","DOI":"10.1109\/SP.2016.15"},{"key":"10403_CR14","unstructured":"Farhang S, Kirdan MB, Laszka A, Grossklags J (2019) Hey google, what exactly do your security patches tell us? a large-scale empirical study on android patched vulnerabilities. arXiv preprint arXiv:1905.09352"},{"key":"10403_CR15","doi-asserted-by":"crossref","unstructured":"Feutrill A, Roughan M, Ross J, Yarom Y (2020) A queueing solution to reduce delay in processing of disclosed vulnerabilities. In: 2020 Second IEEE international conference on trust, privacy and security in intelligent systems and applications. IEEE, pp 1\u201311","DOI":"10.1109\/TPS-ISA50397.2020.00012"},{"key":"10403_CR16","doi-asserted-by":"crossref","unstructured":"Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on large-scale attack defense, pp 131\u2013138","DOI":"10.1145\/1162666.1162671"},{"issue":"2011","key":"10403_CR17","first-page":"32","volume":"11","author":"P Goyal","year":"2011","unstructured":"Goyal P, Parmar V, Rishi R et al (2011) Manet: vulnerabilities, challenges, attacks, application. IJCEM International Journal of Computational Engineering & Management 11(2011):32\u201337","journal-title":"IJCEM International Journal of Computational Engineering & Management"},{"key":"10403_CR18","doi-asserted-by":"crossref","unstructured":"Grieco G, Grinblat GL, Uzal L, Rawat S, Feist J, Mounier L (2016) Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the sixth ACM conference on data and application security and privacy, pp 85\u201396","DOI":"10.1145\/2857705.2857720"},{"key":"10403_CR19","unstructured":"Guidelines and practices for multi-party vulnerability coordination and disclosure (online). https:\/\/www.first.org\/global\/sigs\/vulnerability-coordination\/multiparty\/guidelines-v1.0. Last Accessed 05 Feb 2022"},{"issue":"3","key":"10403_CR20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.4018\/IJCAC.2017070101","volume":"7","author":"S Gupta","year":"2017","unstructured":"Gupta S, Gupta BB (2017) Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. International Journal of Cloud Applications and Computing (IJCAC17) 7(3):1\u201343","journal-title":"International Journal of Cloud Applications and Computing (IJCAC17)"},{"key":"10403_CR21","doi-asserted-by":"crossref","unstructured":"Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP\u201916). IEEE, pp 618\u2013635","DOI":"10.1109\/SP.2016.43"},{"key":"10403_CR22","unstructured":"Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 International conference on security and management (SAM\u201911), vol 1, pp 10\u201316"},{"key":"10403_CR23","doi-asserted-by":"crossref","unstructured":"Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on security and privacy (SP\u201906). IEEE, pp 6\u2013pp","DOI":"10.1109\/SP.2006.29"},{"issue":"1","key":"10403_CR24","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Software Engineering (EMSE\u201918) 23(1):384\u2013417","journal-title":"Empirical Software Engineering (EMSE\u201918)"},{"key":"10403_CR25","doi-asserted-by":"crossref","unstructured":"Lee J, Hong S, Oh H (2018) Memfix: static analysis-based repair of memory deallocation errors for c. In: Proceedings of the 2018 26th ACM Joint meeting on European software engineering conference and symposium on the foundations of software engineering, pp 95\u2013106","DOI":"10.1145\/3236024.3236079"},{"key":"10403_CR26","doi-asserted-by":"crossref","unstructured":"Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security, pp 2201\u20132215","DOI":"10.1145\/3133956.3134072"},{"key":"10403_CR27","doi-asserted-by":"crossref","unstructured":"Liu B, Meng G, Zou W, Gong Q, Li F, Lin M, Sun D, Huo W, Zhang C (2020) A large-scale empirical study on vulnerability distribution within projects and the lessons learned. In: 2020 IEEE\/ACM 42nd International conference on software engineering (ICSE\u201920). IEEE, pp 1547\u20131559","DOI":"10.1145\/3377811.3380923"},{"key":"10403_CR28","doi-asserted-by":"crossref","unstructured":"Li Z, Zou D, Xu S, Jin H, Zhu Y, Chen Z (2021) Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing","DOI":"10.1109\/TDSC.2021.3051525"},{"key":"10403_CR29","doi-asserted-by":"crossref","unstructured":"Machiry A, Redini N, Camellini E, Kruegel C, Vigna G (2020) Spider: enabling fast patch propagation in related software repositories. In: 2020 IEEE Symposium on security and privacy (SP\u201920). IEEE, pp 1562\u20131579","DOI":"10.1109\/SP40000.2020.00038"},{"key":"10403_CR30","doi-asserted-by":"crossref","unstructured":"Nakajima A, Watanabe T, Shioji E, Akiyama M, Woo M (2019) A pilot study on consumer iot device vulnerability disclosure and patch release in japan and the united states. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS \u201919), pp 485\u2013492","DOI":"10.1145\/3321705.3329849"},{"key":"10403_CR31","doi-asserted-by":"crossref","unstructured":"Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE symposium on security and privacy (SP\u201915). IEEE, pp 692\u2013708","DOI":"10.1109\/SP.2015.48"},{"key":"10403_CR32","unstructured":"U.S. national institute of standards and technology. CVSS information (online). https:\/\/nvd.nist.gov\/vuln-metrics\/cvss. Last Accessed 05 Feb 2022"},{"key":"10403_CR33","unstructured":"National vulnerability database (online). https:\/\/nvd.nist.gov\/. Last Accessed 05 Feb 2022"},{"key":"10403_CR34","unstructured":"Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age? In: USENIX security symposium, vol 6, pp 10\u20135555"},{"key":"10403_CR35","doi-asserted-by":"crossref","unstructured":"Piantadosi V, Scalabrino S, Oliveto R (2019) Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on software testing, validation and verification (ICST\u201919). IEEE, pp 68\u201378","DOI":"10.1109\/ICST.2019.00017"},{"key":"10403_CR36","doi-asserted-by":"crossref","unstructured":"Rafique S, Humayun M, Hamid B, Abbas A, Akhtar M, Iqbal K (2015) Web application security vulnerabilities detection approaches: a systematic mapping study. In: 2015 IEEE\/ACIS 16th International conference on software engineering, artificial intelligence, networking and parallel\/distributed computing (SNPD\u201915). IEEE, pp 1\u20136","DOI":"10.1109\/SNPD.2015.7176244"},{"key":"10403_CR37","doi-asserted-by":"crossref","unstructured":"Ruohonen J (2018) An empirical analysis of vulnerabilities in python packages for web applications. In: 2018 9th International workshop on empirical software engineering in practice (IWESEP\u201918). IEEE, pp 25\u201330","DOI":"10.1109\/IWESEP.2018.00013"},{"key":"10403_CR38","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1016\/j.infsof.2018.06.005","volume":"103","author":"J Ruohonen","year":"2018","unstructured":"Ruohonen J, Rauti S, Hyrynsalmi S, Lepp\u00e4nen V (2018) A case study on software vulnerability coordination. Inf Softw Technol 103:239\u2013257","journal-title":"Inf Softw Technol"},{"key":"10403_CR39","unstructured":"Sabottke C, Suciu O, Dumitras T (2015) Vulnerability disclosure in the age of social media: exploiting twitter for predicting $$\\{$$Real-World$$\\}$$ exploits. In: 24th USENIX security symposium (USENIX Security 15), pp 1041\u20131056"},{"key":"10403_CR40","doi-asserted-by":"crossref","unstructured":"Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34th International conference on software engineering (ICSE\u201912). IEEE, pp 771\u2013781","DOI":"10.1109\/ICSE.2012.6227141"},{"issue":"6","key":"10403_CR41","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Y Shin","year":"2010","unstructured":"Shin Y, Meneely A, Williams L, Osborne JA (2010) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE transactions on software engineering (TSE\u201910) 37(6):772\u2013787","journal-title":"IEEE transactions on software engineering (TSE\u201910)"},{"issue":"1","key":"10403_CR42","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1109\/MIC.2012.61","volume":"17","author":"AK Sood","year":"2012","unstructured":"Sood AK, Bansal R, Enbody RJ (2012) Cybercrime: dissecting the state of underground enterprise. IEEE Internet Comput 17(1):60\u201368","journal-title":"IEEE Internet Comput"},{"key":"10403_CR43","unstructured":"Stock B, Pellegrino G, Rossow C, Johns M, Backes M (2016) Hey, you have a problem: on the feasibility of $$\\{$$Large-Scale$$\\}$$ web vulnerability notification. In: 25th USENIX security symposium, pp 1015\u20131032"},{"key":"10403_CR44","doi-asserted-by":"crossref","unstructured":"Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting \"0-day\" vulnerability: an empirical study of secret security patch in OSS. In: 2019 49th Annual IEEE\/IFIP international conference on dependable systems and networks (DSN\u201919). IEEE, pp 485\u2013492","DOI":"10.1109\/DSN.2019.00056"},{"key":"10403_CR45","doi-asserted-by":"crossref","unstructured":"Wu D, Gao D, Cheng EK, Cao Y, Jiang J, Deng RH (2019) Towards understanding android system vulnerabilities: techniques and insights. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS \u201919), pp 295\u2013306","DOI":"10.1145\/3321705.3329831"},{"key":"10403_CR46","unstructured":"Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of C\/C++ code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE\u201921)"},{"key":"10403_CR47","doi-asserted-by":"crossref","unstructured":"Zhao M, Grossklags J, Liu P (2015) An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1105\u20131117","DOI":"10.1145\/2810103.2813704"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10403-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-023-10403-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10403-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,29]],"date-time":"2023-11-29T12:18:54Z","timestamp":1701260334000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-023-10403-x"}},"subtitle":["An empirical study of practices from 13 CVE numbering authorities"],"short-title":[],"issued":{"date-parts":[[2023,11]]},"references-count":47,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2023,11]]}},"alternative-id":["10403"],"URL":"https:\/\/doi.org\/10.1007\/s10664-023-10403-x","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11]]},"assertion":[{"value":"2 October 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 November 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interests"}}],"article-number":"151"}}