{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T22:49:53Z","timestamp":1778798993583,"version":"3.51.4"},"reference-count":106,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833686","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1880-1896","source":"Crossref","is-referenced-by-count":36,"title":["Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects"],"prefix":"10.1109","author":[{"given":"Dominik","family":"Wermke","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Noah","family":"W\u00f6hler","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jan H.","family":"Klemmer","sequence":"additional","affiliation":[{"name":"Leibniz University Hannover,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marcel","family":"Fourn\u00e9","sequence":"additional","affiliation":[{"name":"Max Planck Institute for Security and Privacy,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yasemin","family":"Acar","sequence":"additional","affiliation":[{"name":"George Washington University,United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sascha","family":"Fahl","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref57","article-title":"How do information security workers use host data? a summary of interviews with security analysts","author":"bridges","year":"2018","journal-title":"arXiv preprint arXiv 1812 02588"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/1031607.1031672"},{"key":"ref59","first-page":"505","article-title":"When the weakest link is strong: Secure collaboration in the case of the panama papers","author":"mcgregor","year":"0","journal-title":"26th USENIX Security Symposium (USENIX Security 17)"},{"key":"ref58","first-page":"399","article-title":"Investigating the computer security practices and needs of journalists","author":"mcgregor","year":"0","journal-title":"24th USENIX Security Symposium (USENIX Security 15)"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/1280680.1280693"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3449093"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/1518701.1518838"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-38928-3_14"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00096"},{"key":"ref50","article-title":"Did You Miss My Comment or What?,” understanding toxicity in open source discussions","author":"miller","year":"2022","journal-title":"International Conference on Software Engineering (ICSE '22)"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIS.2019.00014"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568315"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00084"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00119"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00058"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1002\/smr.2393"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568260"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380410"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106246"},{"key":"ref8","year":"2020","journal-title":"Open source software supply chain security"},{"key":"ref7","author":"sharma","year":"2021","journal-title":"Npm fixes private package names leak serious authorization bug"},{"key":"ref9","year":"2021","journal-title":"The State of Enterprise Open Source 2020 Enterprise open source use rises proprietary software declines"},{"key":"ref4","year":"2021","journal-title":"Malware discovered in popular npm package ua-parser-js"},{"key":"ref3","year":"2021","journal-title":"GitLab"},{"key":"ref6","author":"hanley","year":"2021","journal-title":"Github's commitment to npm ecosystem security"},{"key":"ref5","author":"abrams","year":"2021","journal-title":"Popular npm library hijacked to install passwordstealers miners"},{"key":"ref100","author":"charmaz","year":"2014","journal-title":"Constructing Grounded Theory"},{"key":"ref101","first-page":"288","author":"strauss","year":"1997","journal-title":"Grounded theory in practice"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884875"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083147"},{"key":"ref34","first-page":"255","article-title":"Effective static analysis of concurrency use-after-free bugs in linux device drivers","author":"bai","year":"2019","journal-title":"2019 USENIX Annual Technical Conference (USENIX ATC 19)"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421360"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134072"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.2"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ICEMIS.2016.7745369"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.30"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2018.686"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/2145204.2145396"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2019.00017"},{"key":"ref24","article-title":"Historical analysis of exploit availability timelines","author":"householder","year":"2020","journal-title":"13th USENIX Workshop on Cyber Security Experimentation and Test ( CSET 20)"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382218"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2009.25"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55128-4_37"},{"key":"ref20","first-page":"131","article-title":"Evolution in open source software: A case study","author":"tu","year":"2000","journal-title":"Proc of the 2000 International Conference on Software Maintenance"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2005.73"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/567793.567795"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387465"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9258-8"},{"key":"ref29","first-page":"3","article-title":"Vulnerabilities and patches of open source software: An empirical study","volume":"4","author":"altinkemer","year":"2008","journal-title":"Information and System Security"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387510"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00030"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597129"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2008.24"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786854"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2015.26"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"ref99","author":"holz","year":"2021","journal-title":"IEEE S&P'21 program committee statement regarding the“hypocrite commits ” paper"},{"key":"ref10","year":"2021","journal-title":"Report on University of Minnesota breach-of-trust incident"},{"key":"ref98","author":"salter","year":"2021","journal-title":"Linux kernel team rejects university of minnesota researchers' apology"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196454"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597126"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2012.6224294"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2018.110162131"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884806"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393647"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1145\/3387940.3391534"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/3178158.3178202"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-20883-7_11"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.68"},{"key":"ref86","article-title":"Analyzing first contributions on github: What do newcomers do","author":"subramanian","year":"2020","journal-title":"IEEE Software"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2015.2500367"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/2957792.2957793"},{"key":"ref87","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1080\/10864415.2002.11044241","article-title":"Working for free? motivations for participating in open-source projects","volume":"6","author":"hars","year":"2002","journal-title":"Int J Electron Commerce"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/2652524.2652544"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985462"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/1842752.1842796"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/3127005.3127014"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-72486-7_19"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57735-7_5"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1145\/2046582.2046587"},{"key":"ref106","year":"2022","journal-title":"Guidelines for research on the kernel community"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/2832987.2833051"},{"key":"ref104","author":"birks","year":"2015","journal-title":"Grounded Theory A Practical Guide"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"ref105","article-title":"The Menlo report: Ethical principles guiding information and communication technology research","author":"kenneally","year":"2012","journal-title":"SSRN Electronic Journal"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/3377816.3381732"},{"key":"ref102","first-page":"418","article-title":"Grounded theory research: Procedures, canons and evaluative criteria","volume":"19","author":"corbin","year":"1990","journal-title":"Qualitative Sociology"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3117771"},{"key":"ref103","author":"urquhart","year":"2012","journal-title":"Grounded Theory for Qualitative Research A Practical Guide"},{"key":"ref2","year":"2021","journal-title":"Github"},{"key":"ref1","year":"2021","journal-title":"State of the Octoverse"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597117"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA.2017.39"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635880"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387513"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.23919\/FRUCT.2017.8250205"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089127"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/ASEW.2008.4686322"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/2675133.2675215"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833756"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1002\/spip.255"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3412569.3412571"},{"key":"ref60","first-page":"89","article-title":"Computer security and privacy in the interactions between victim service providers and human trafficking survivors","author":"chen","year":"0","journal-title":"28th USENIX Security Symposium (USENIX Security 19)"},{"key":"ref62","first-page":"385","article-title":"New me: Understanding expert and non-expert perceptions and usage of the tor anonymity network","author":"gallagher","year":"0","journal-title":"Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017)"},{"key":"ref61","first-page":"113","article-title":"An inconvenient trust: User attitudes toward security and usability tradeoffs for key-directory encryption systems","author":"bai","year":"0","journal-title":"Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833686.pdf?arnumber=9833686","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:13:54Z","timestamp":1699485234000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833686\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":106,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833686","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}