{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,12]],"date-time":"2026-06-12T16:58:26Z","timestamp":1781283506978,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":42,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,10,30]],"date-time":"2017-10-30T00:00:00Z","timestamp":1509321600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-1518921"],"award-info":[{"award-number":["CNS-1518921"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,10,30]]},"DOI":"10.1145\/3133956.3134072","type":"proceedings-article","created":{"date-parts":[[2017,10,27]],"date-time":"2017-10-27T12:48:18Z","timestamp":1509108498000},"page":"2201-2215","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":185,"title":["A Large-Scale Empirical Study of Security Patches"],"prefix":"10.1145","author":[{"given":"Frank","family":"Li","sequence":"first","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Vern","family":"Paxson","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2017,10,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"American Fuzzy Lop. http:\/\/lcamtuf.coredump.cx\/afl\/."},{"key":"e_1_3_2_2_2_1","unstructured":"cgit. https:\/\/git.zx2c4.com\/cgit\/about\/."},{"key":"e_1_3_2_2_3_1","unstructured":"Core Infrastructure Initiative. https:\/\/www.coreinfrastructure.org."},{"key":"e_1_3_2_2_4_1","unstructured":"Exuberant Ctags. http:\/\/ctags.sourceforge.net\/."},{"key":"e_1_3_2_2_5_1","unstructured":"GitLab. https:\/\/about.gitlab.com\/."},{"key":"e_1_3_2_2_6_1","unstructured":"GitWeb. https:\/\/git-scm.com\/book\/en\/v2\/Git-on-the-Server-GitWeb."},{"key":"e_1_3_2_2_7_1","unstructured":"ISC Software Defect and Security Vulnerability Disclosure Policy. https:\/\/kb.isc.org\/article\/AA-00861\/164\/ISC-Software-Defect-and-Security- Vulnerability-Disclosure-Policy.html."},{"key":"e_1_3_2_2_8_1","unstructured":"Open Crypto Audit Project. https:\/\/opencryptoaudit.org."},{"key":"e_1_3_2_2_9_1","unstructured":"Undefined Behavior Sanitizer. https:\/\/clang.llvm.org\/docs\/UndefinedBehavior Sanitizer.html."},{"key":"e_1_3_2_2_10_1","volume-title":"BlackHat","author":"Christey Steve","year":"2013","unstructured":"Steve Christey and Brian Martin. Buying Into the Bias: Why Vulnerability Statistics Suck. In BlackHat, 2013."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_3_2_2_12_1","unstructured":"Forum of Incident Response and Security Teams. Common Vulnerability Scoring System v3.0: Specification Document. https:\/\/www.first.org\/cvss\/specification-document."},{"key":"e_1_3_2_2_13_1","volume-title":"USENIX Predict Workshop","author":"Frei Stefan","year":"2011","unstructured":"Stefan Frei. End-Point Security Failures: Insights gained from Secunia PSI Scans. In USENIX Predict Workshop, 2011."},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1162666.1162671"},{"key":"e_1_3_2_2_15_1","unstructured":"Google. Sanitizers. https:\/\/github.com\/google\/sanitizers."},{"key":"e_1_3_2_2_16_1","unstructured":"Google Open Source Blog. Announcing OSS-Fuzz: Continuous Fuzzing for Open Source Software. https:\/\/opensource.googleblog.com\/2016\/12\/announcing-oss-fuzz-continuous-fuzzing.html."},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806812"},{"key":"e_1_3_2_2_18_1","volume-title":"Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response","author":"Huang Zhen","year":"2016","unstructured":"Zhen Huang, Mariana D'Angelo, Dhaval Miyani, and David Lie. Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response. In IEEE Security and Privacy (S&P), 2016."},{"key":"e_1_3_2_2_19_1","volume-title":"October","author":"Corbet Jonathan","year":"2010","unstructured":"Jonathan Corbet. Kernel Vulnerabilities: Old or New?, October 2010. https:\/\/lwn.net\/Articles\/410606\/."},{"key":"e_1_3_2_2_20_1","volume-title":"October","author":"Cook Kees","year":"2016","unstructured":"Kees Cook. Security Bug Lifetime, October 2016. https:\/\/outflux.net\/blog\/archives\/2016\/10\/18\/security-bug-lifetime."},{"key":"e_1_3_2_2_21_1","volume-title":"Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security Symposium","author":"Li Frank","year":"2016","unstructured":"Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security Symposium, 2016."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1976.233837"},{"key":"e_1_3_2_2_23_1","unstructured":"MITRE Corporation. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org\/."},{"key":"e_1_3_2_2_24_1","unstructured":"MITRE Corporation. CWE: Common Weakness Enumeration. https:\/\/cwe.mitre.org\/."},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2989238.2989239"},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606579"},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.48"},{"key":"e_1_3_2_2_28_1","volume-title":"USENIX Security Symposium","author":"Ozment Andy","year":"2006","unstructured":"Andy Ozment and Stuart E. Schechter. Milk or Wine: Does Software Security Improve with Age? In USENIX Security Symposium, 2006."},{"key":"e_1_3_2_2_29_1","volume-title":"Mining Software Repositories (MSR)","author":"Park Jihun","year":"2012","unstructured":"Jihun Park, Miryung Kim, Baishkhi Ray, and Doo-Hwan Bae. An Empirical Study on Supplementary Bug Fixes. In Mining Software Repositories (MSR), 2012."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"e_1_3_2_2_31_1","volume-title":"Version Control Systems Popularity","year":"2016","unstructured":"RhodeCode. Version Control Systems Popularity in 2016. https:\/\/rhodecode.com\/insights\/version-control-systems-2016."},{"key":"e_1_3_2_2_32_1","volume-title":"Liu. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In International Conference on Software Engineering (ICSE)","author":"Shahzad Muhammad","year":"2012","unstructured":"Muhammad Shahzad, M. Zubair Shafiq, and Alex X. Liu. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In International Conference on Software Engineering (ICSE), 2012."},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1083142.1083147"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903495"},{"key":"e_1_3_2_2_35_1","unstructured":"U.S. National Institute of Standards and Technology. CVSS Information. https:\/\/nvd.nist.gov\/cvss.cfm."},{"key":"e_1_3_2_2_36_1","unstructured":"U.S. National Institute of Standards and Technology. National Checklist Program Glossary. https:\/\/web.nvd.nist.gov\/view\/ncp\/repository\/glossary."},{"key":"e_1_3_2_2_37_1","unstructured":"U.S. National Institute of Standards and Technology. National Vulnerability Database. https:\/\/nvd.nist.gov\/home.cfm."},{"key":"e_1_3_2_2_38_1","unstructured":"U.S. National Institute of Standards and Technology. NVD Data Feed. https:\/\/nvd.nist.gov\/download.cfm."},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.49"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025121"},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985457"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.101"}],"event":{"name":"CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security","location":"Dallas Texas USA","acronym":"CCS '17","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134072","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3133956.3134072","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3133956.3134072","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:03Z","timestamp":1750212663000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134072"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,30]]},"references-count":42,"alternative-id":["10.1145\/3133956.3134072","10.1145\/3133956"],"URL":"https:\/\/doi.org\/10.1145\/3133956.3134072","relation":{},"subject":[],"published":{"date-parts":[[2017,10,30]]},"assertion":[{"value":"2017-10-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}