{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,30]],"date-time":"2026-03-30T15:07:50Z","timestamp":1774883270103,"version":"3.50.1"},"reference-count":32,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T00:00:00Z","timestamp":1770336000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"},{"start":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T00:00:00Z","timestamp":1770336000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2026,5]]},"DOI":"10.1007\/s10664-025-10794-z","type":"journal-article","created":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T04:32:32Z","timestamp":1770352352000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries"],"prefix":"10.1007","volume":"31","author":[{"given":"Morakot","family":"Choetkiertikul","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sushawapak","family":"Kancharoendee","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chanikarn","family":"Jongyingyos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thanat","family":"Phichitphanphong","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-8386-9558","authenticated-orcid":false,"given":"Chaiyong","family":"Ragkhitwetsagul","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Brittany","family":"Reid","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Raula Gaikovina","family":"Kula","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thanwadee","family":"Sunetnanta","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,2,6]]},"reference":[{"issue":"3","key":"10794_CR1","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1007\/s10664-022-10278-4","volume":"28","author":"M Alfadel","year":"2023","unstructured":"Alfadel M, Costa DE, Shihab E (2023) Empirical analysis of security vulnerabilities in python packages. Empir Softw Eng 28(3):59","journal-title":"Empir Softw Eng"},{"issue":"2","key":"10794_CR2","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1214\/aoms\/1177729437","volume":"23","author":"TW Anderson","year":"1952","unstructured":"Anderson TW, Darling DA (1952) Asymptotic theory of certain \u201cGoodness of Fit\u2019\u2019 criteria based on stochastic processes. Ann Math Stat 23(2):193\u2013212","journal-title":"Ann Math Stat"},{"key":"10794_CR3","unstructured":"Assal H, Chiasson S (2018) Security in the software development lifecycle. In: Proceeding of the 14th Symposium on Usable Privacy and Security (SOUPS), (Baltimore, MD). USENIX Association, pp 281\u2013296"},{"key":"10794_CR4","doi-asserted-by":"crossref","unstructured":"Ayala J, Garcia J (2023) An empirical study on workflows and security policies in popular github repositories. In: Proceeding of the IEEE\/ACM 1st International Workshop on Software Vulnerability (SVM), pp 6\u20139","DOI":"10.1109\/SVM59160.2023.00006"},{"key":"10794_CR5","first-page":"993","volume":"3","author":"DM Blei","year":"2003","unstructured":"Blei DM, Ng AY, Jordan MI (2003) Latent dirichlet allocation. J Mach Learn Res 3:993\u20131022","journal-title":"J Mach Learn Res"},{"key":"10794_CR6","doi-asserted-by":"crossref","unstructured":"Bommarito E, Bommarito MJ (2019) An empirical analysis of the python package index (pypi). Softw Eng eJ","DOI":"10.2139\/ssrn.3426281"},{"key":"10794_CR7","doi-asserted-by":"crossref","unstructured":"B\u00fchlmann N, Ghafari M (2022) How do developers deal with security issue reports on github?. In: Proceedings of the 37th ACM\/SIGAPP Symposium on Applied Computing. SAC \u201922, (New York, NY, USA). Association for Computing Machinery, pp 1580\u20131589","DOI":"10.1145\/3477314.3507123"},{"key":"10794_CR8","unstructured":"Cass S (2024) The top programming languages 2024: typescript and rust are among the rising stars. https:\/\/spectrum.ieee.org\/top-programming-languages-2024. Accessed 18 Nov 2024"},{"issue":"1","key":"10794_CR9","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1177\/001316446002000104","volume":"20","author":"J Cohen","year":"1960","unstructured":"Cohen J (1960) A coefficient of agreement for nominal scales. Educ Psychol Measur 20(1):37\u201346","journal-title":"Educ Psychol Measur"},{"key":"10794_CR10","first-page":"2962","volume":"28","author":"M Feurer","year":"2015","unstructured":"Feurer M, Klein A, Eggensperger K, Springenberg J, Blum M (2015) Hutter F (2015) Efficient and robust automated machine learning. Adv Neural Inf Process Syst 28:2962\u20132970","journal-title":"Adv Neural Inf Process Syst"},{"key":"10794_CR11","unstructured":"GitHub (2024a) Adding a security policy to your repository. https:\/\/docs.github.com\/en\/code-security\/getting-started\/adding-a-security-policy-to-your-repository"},{"key":"10794_CR12","unstructured":"GitHub (2024b) Github advisory database. https:\/\/github.com\/advisories. Accessed 12 Sept 2024"},{"key":"10794_CR13","doi-asserted-by":"crossref","unstructured":"Ikeda S, Ihara A, Kula R, Matsumoto K (2018) An empirical study on readme contents for javascript packages. IEICE Transactions on Information and Systems E102.D","DOI":"10.1587\/transinf.2018EDP7071"},{"key":"10794_CR14","doi-asserted-by":"crossref","unstructured":"Jarukitpipat V, Chhun K, Wanprasert W, Ragkhitwetsagul C, Choetkiertikul M, Sunetnanta T, Kula RG, Chinthanet B, Ishio T, Matsumoto K (2023) V-achilles: an interactive visualization of transitive security vulnerabilities. In: Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering. ASE \u201922, (New York, NY, USA). Association for Computing Machinery","DOI":"10.1145\/3551349.3559526"},{"key":"10794_CR15","doi-asserted-by":"crossref","unstructured":"Kancharoendee S, Phichitphanphong T, Jongyingyos C, Reid B, Kula RG, Choetkiertikul M, Ragkhitwetsagul C, Sunetnanta T (2025) On categorizing open source software security vulnerability reporting mechanisms on github. In: Proceeding of the IEEE International Conference on Software Analysis. Evolution and Reengineering, Early Research Achievement (SANER-ERA), pp 751\u2013756","DOI":"10.1109\/SANER64311.2025.00076"},{"key":"10794_CR16","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Softw Engg 23:384\u2013417","journal-title":"Empirical Softw Engg"},{"key":"10794_CR17","doi-asserted-by":"crossref","unstructured":"Loper E, Bird S (2002) Nltk: the natural language toolkit. In: Proceedings of the Workshop on Effective Tools and Methodologies for Teaching Natural Language Processing and Computational Linguistics. ETMTNLP \u201902, (USA). Association for Computational Linguistics, pp 63\u201370","DOI":"10.3115\/1118108.1118117"},{"key":"10794_CR18","unstructured":"Lundberg SM, Lee S-I (2017) A unified approach to interpreting model predictions. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. NIPS\u201917, (Red Hook, NY, USA). Curran Associates Inc., pp 4768\u20134777"},{"issue":"1","key":"10794_CR19","doi-asserted-by":"publisher","first-page":"50","DOI":"10.1214\/aoms\/1177730491","volume":"18","author":"HB Mann","year":"1947","unstructured":"Mann HB, Whitney DR (1947) On a test of whether one of two random variables is stochastically larger than the other. Ann Math Stat 18(1):50\u201360","journal-title":"Ann Math Stat"},{"key":"10794_CR20","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1145\/219717.219748","volume":"38","author":"GA Miller","year":"1995","unstructured":"Miller GA (1995) Wordnet: a lexical database for english. Commun ACM 38:39\u201341","journal-title":"Commun ACM"},{"key":"10794_CR21","unstructured":"MITRE Corporation (2025) Common Vulnerabilities and Exposures (CVE). https:\/\/cve.mitre.org\/. Accessed 14 Dec 2024"},{"key":"10794_CR22","unstructured":"Qiao Y, Gong L, Zhao Y, Wang Y, Wei M (2024) Demuvgn: effective software defect prediction model by learning multi-view software dependency via graph neural networks. arXiv:2410.19550"},{"key":"10794_CR23","unstructured":"\u0158eh\u016f\u0159ek R, Sojka P (2010) Software Framework for Topic Modelling with Large Corpora. In: Proceedings of the Workshop on New Challenges for NLP Frameworks (LREC), (Valletta, Malta). ELRA, pp 45\u201350"},{"key":"10794_CR24","unstructured":"SonarSource (2025) Sonarqube. https:\/\/www.sonarsource.com\/products\/sonarqube\/. Accessed 12 Sept 2024"},{"issue":"1","key":"10794_CR25","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1046\/j.1365-2575.2002.00117.x","volume":"12","author":"I Stamelos","year":"2002","unstructured":"Stamelos I, Angelis L, Oikonomou A, Bleris GL (2002) Code quality analysis in open source software development. Inf Syst J 12(1):43\u201360","journal-title":"Inf Syst J"},{"issue":"86","key":"10794_CR26","first-page":"2579","volume":"9","author":"L van\u00a0der Maaten","year":"2008","unstructured":"van\u00a0der Maaten L, Hinton G (2008) Visualizing data using t-sne. J Mach Learn Res 9(86):2579\u20132605","journal-title":"J Mach Learn Res"},{"key":"10794_CR27","doi-asserted-by":"crossref","unstructured":"Wermke D, W\u00f6hler N, Klemmer JH, Fourn\u00e9 M, Acar Y, Fahl S (2022) Committed to trust: a qualitative study on security & trust in open source software projects. In: Proceeding of the IEEE Symposium on Security and Privacy (SP), pp 1880\u20131896","DOI":"10.1109\/SP46214.2022.9833686"},{"key":"10794_CR28","doi-asserted-by":"crossref","unstructured":"Younis AA, Hu Y, Abdunabi R (2023) Analyzing software supply chain security risks in industrial control system protocols: an openssf scorecard approach. In: Proceeding of the 10th International Conference on Dependable Systems and Their Applications (DSA). IEEE, pp 302\u2013311","DOI":"10.1109\/DSA59317.2023.00044"},{"issue":"6","key":"10794_CR29","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1109\/MSEC.2023.3279773","volume":"21","author":"N Zahan","year":"2023","unstructured":"Zahan N, Kanakiya P, Hambleton B, Shohan S, Williams L (2023a) Openssf scorecard: on the path toward ecosystem-wide automated security metrics. IEEE Secur Priv 21(6):76\u201388","journal-title":"IEEE Secur Priv"},{"key":"10794_CR30","doi-asserted-by":"crossref","unstructured":"Zahan N, Shohan S, Harris D, Williams L (2023b) Do software security practices yield fewer vulnerabilities?. In: Proceeding of the IEEE\/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pp 292\u2013303","DOI":"10.1109\/ICSE-SEIP58684.2023.00032"},{"key":"10794_CR31","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-46027-6","volume-title":"Association rule mining: models and algorithms","author":"C Zhang","year":"2002","unstructured":"Zhang C, Zhang S (2002) Association rule mining: models and algorithms. Springer-Verlag, Berlin, Heidelberg"},{"issue":"4","key":"10794_CR32","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1109\/TSE.2006.38","volume":"32","author":"J Zheng","year":"2006","unstructured":"Zheng J, Williams L, Nagappan N, Snipes W, Hudepohl J, Vouk M (2006) On the value of static analysis for fault detection in software. IEEE Trans Software Eng 32(4):240\u2013253","journal-title":"IEEE Trans Software Eng"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10794-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10794-z","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10794-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,30]],"date-time":"2026-03-30T14:35:44Z","timestamp":1774881344000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10794-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,6]]},"references-count":32,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2026,5]]}},"alternative-id":["10794"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10794-z","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,6]]},"assertion":[{"value":"2 June 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 December 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing Interests"}}],"article-number":"65"}}