{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T18:07:28Z","timestamp":1772906848014,"version":"3.50.1"},"reference-count":80,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179378","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"1545-1560","source":"Crossref","is-referenced-by-count":16,"title":["\"Always Contribute Back\": A Qualitative Study on Security Challenges of the Open Source Supply Chain"],"prefix":"10.1109","author":[{"given":"Dominik","family":"Wermke","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jan H.","family":"Klemmer","sequence":"additional","affiliation":[{"name":"Leibniz University Hannover,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Noah","family":"W\u00f6hler","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Juliane","family":"Schm\u00fcser","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Harshini Sri","family":"Ramulu","sequence":"additional","affiliation":[{"name":"Paderborn University,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yasemin","family":"Acar","sequence":"additional","affiliation":[{"name":"Paderborn University,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sascha","family":"Fahl","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"The State of Enterprise Open Source 2020: Enterprise open source use rises, proprietary software declines","year":"2020"},{"key":"ref2","volume-title":"FireEye discovered SolarWinds breach while probing own hack","author":"Turton","year":"2020"},{"key":"ref3","volume-title":"SEC filings: SolarWinds says 18,000 customers were impacted by recent hack","author":"Cimpanu","year":"2020"},{"key":"ref4","volume-title":"CloudGuard Spectral detects several malicious packages on PyPI \u2013 the official software repository for python developers","year":"2022"},{"key":"ref5","volume-title":"Alert: Peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of ukraine","author":"Tal","year":"2022"},{"key":"ref6","first-page":"351","article-title":"A look at the dynamics of the JavaScript package ecosystem","volume-title":"Proceedings of the 13th International Conference on Mining Software Repositories (MSR \u201916)","author":"Wittern"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.55"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"ref9","first-page":"181","article-title":"On the impact of security vulnerabilities in the npm package dependency network","volume-title":"Proceedings of the 15th international conference on mining software repositories","author":"Decan"},{"key":"ref10","first-page":"995","article-title":"Small-world with high risks: A study of security threats in the npm ecosystem","volume-title":"Proceedings of the 28th USENIX Conference on Security Symposium (SEC\u201919)","author":"Zimmermann"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3543815"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236062"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-21544-5_5"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/CSMR.2013.33"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2013.39"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597131"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3268920"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME46990.2020.00014"},{"key":"ref20","article-title":"A study of Android application security","volume-title":"Proceedings of the 20th USENIX Security Symposium (SEC\u201911)","author":"Enck"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2013.142"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2918315"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236056"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2952130"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09830-x"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.52"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.38"},{"key":"ref30","first-page":"653","article-title":"LibRadar: Fast and accurate detection of third-party libraries in Android apps","volume-title":"Proceedings of the 38th ACM International Conference on Software Engineering Companion","author":"Ma"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15585-7_17"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.110460"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09771-0"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3273934.3273937"},{"key":"ref35","first-page":"37","article-title":"Which library should i use?: A metric-based comparison of software libraries","volume-title":"Proceedings of the 40th IEEE\/ACM International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER \u201918)","author":"de la Mora"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564556"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3025443"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09959-3"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409711"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev53368.2022.00026"},{"key":"ref45","author":"Zahan","year":"2022","journal-title":"Preprint: Do OpenSSF Scorecard practices contribute to fewer vulnerabilities?"},{"key":"ref46","author":"Zahan","year":"2022","journal-title":"Preprint: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2782813"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3023735"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2998181.2998191"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2015.45"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.25"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.24"},{"key":"ref53","first-page":"621","article-title":"The battle for New York: A case study of applied digital threat modeling at the enterprise level","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security \u201918)","author":"Stevens"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300519"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"ref56","first-page":"399","article-title":"Investigating the computer security practices and needs of journalists","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security 15)","author":"McGregor"},{"key":"ref57","first-page":"505","article-title":"When the weakest link is strong: Secure collaboration in the case of the panama papers","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security 17)","author":"McGregor"},{"key":"ref58","first-page":"89","article-title":"Computer security and privacy in the interactions between victim service providers and human trafficking survivors","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security 19)","author":"Chen"},{"key":"ref59","first-page":"113","article-title":"An inconvenient trust: User attitudes toward security and usability tradeoffs for key-directory encryption systems","volume-title":"Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS \u201916)","author":"Bai"},{"key":"ref60","first-page":"385","article-title":"New me: Understanding expert and non-expert perceptions and usage of the tor anonymity network","volume-title":"Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS \u201917)","author":"Gallagher"},{"key":"ref61","first-page":"1235","article-title":"A large-scale interview study on information security in and attacks against small and medium-sized enterprises","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security \u201921)","author":"Huaman"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-38928-3_14"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3173836"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/1518701.1518838"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/1031607.1031672"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/1280680.1280693"},{"key":"ref67","first-page":"357","article-title":"\u201c\"We make it a big deal in the company\u201d: Security mindsets in organizations that develop cryptographic products,\"","volume-title":"Proceedings of 14th Symposium on Usable Privacy and Security (SOUPS \u201918)","author":"Haney"},{"key":"ref68","author":"Jansen","year":"2021","journal-title":"Trustseco: An interview survey into software trust"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/3503229.3547061"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833756"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833686"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179320"},{"key":"ref73","volume-title":"Constructing Grounded Theory.","author":"Charmaz","year":"2014"},{"key":"ref74","first-page":"288","volume-title":"Grounded Theory in Practice.","author":"Strauss","year":"1997"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1515\/zfsoz-1990-0602"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.4135\/9781526402196"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.53841\/bpsqmip.2024.1.37.59"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1145\/3359174"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.2445102"},{"key":"ref80","volume-title":"Rage-quit: Coder unpublished 17 lines of javascript and \u201cbroke the internet\u201d","author":"Gallagher","year":"2016"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179378.pdf?arnumber=10179378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:11:51Z","timestamp":1721452311000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179378\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":80,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179378","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}