{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T10:07:34Z","timestamp":1772532454753,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,6,27]],"date-time":"2020-06-27T00:00:00Z","timestamp":1593216000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Natural Science Foundation of China","award":["61772308, 61972224, U1736209, 61802394, U1836209, 61902395"],"award-info":[{"award-number":["61772308, 61972224, U1736209, 61802394, U1836209, 61902395"]}]},{"name":"BNRist Network and Software Security Research Program","award":["BNR2019TD01004, BNR2019RC01009"],"award-info":[{"award-number":["BNR2019TD01004, BNR2019RC01009"]}]},{"name":"Strategic Priority Research Program of CAS","award":["XDC02040100, XDC02030200, XDC02020200"],"award-info":[{"award-number":["XDC02040100, XDC02030200, XDC02020200"]}]},{"name":"National Key Research and Development Program of China","award":["2016QY071405"],"award-info":[{"award-number":["2016QY071405"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,6,27]]},"DOI":"10.1145\/3377811.3380923","type":"proceedings-article","created":{"date-parts":[[2020,10,1]],"date-time":"2020-10-01T18:25:34Z","timestamp":1601576734000},"page":"1547-1559","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":35,"title":["A large-scale empirical study on vulnerability distribution within projects and the lessons learned"],"prefix":"10.1145","author":[{"given":"Bingchang","family":"Liu","sequence":"first","affiliation":[{"name":"University of Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guozhu","family":"Meng","sequence":"additional","affiliation":[{"name":"University of Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Zou","sequence":"additional","affiliation":[{"name":"University of Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qi","family":"Gong","sequence":"additional","affiliation":[{"name":"Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Feng","family":"Li","sequence":"additional","affiliation":[{"name":"University of Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Min","family":"Lin","sequence":"additional","affiliation":[{"name":"Cyberspace, Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dandan","family":"Sun","sequence":"additional","affiliation":[{"name":"Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Huo","sequence":"additional","affiliation":[{"name":"University of Chinese Academy of Sciences"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chao","family":"Zhang","sequence":"additional","affiliation":[{"name":"Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,10]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. CVE-2019-7175. Retrieved February 4 2020 from https:\/\/github.com\/ImageMagick\/ImageMagick\/issues\/1450"},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. FFmpeg. Retrieved August 15 2019 from https:\/\/ffmpeg.org\/"},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. ImageMagick. Retrieved August 15 2019 from https:\/\/imagemagick.org\/"},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. ImageTragick. Retrieved August 15 2019 from https:\/\/imagetragick.com\/"},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. Linux-kernel. Retrieved August 15 2019 from https:\/\/www.kernel.org\/"},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. OpenSSL. Retrieved August 15 2019 from https:\/\/www.openssl.org\/"},{"key":"e_1_3_2_1_7_1","unstructured":"[n.d.]. PHP-SRC. Retrieved August 15 2019 from https:\/\/www.php.net"},{"key":"e_1_3_2_1_8_1","volume-title":"Retrieved","year":"2019","unstructured":"2010. american fuzzy lop. Retrieved March 09, 2019 from http:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180197"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.1005"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infoecopol.2009.10.002"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2010.06.003"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2011.54"},{"key":"e_1_3_2_1_15_1","volume-title":"John Grundy, and Aditya Ghose.","author":"Dam Hoa Khanh","year":"2017","unstructured":"Hoa Khanh Dam, Truyen Tran, Trang Pham, Shien Wee Ng, John Grundy, and Aditya Ghose. 2017. Automatic feature learning for vulnerability prediction. arXiv preprint arXiv:1708.02368 (2017)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00024"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.879815"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1162666.1162671"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00040"},{"key":"e_1_3_2_1_20_1","volume-title":"Retrieved","year":"2019","unstructured":"GitHub. [n.d.]. GitHub Developer API. Retrieved August 15, 2019 from https:\/\/developer.github.com\/v3\/"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196454"},{"key":"e_1_3_2_1_22_1","volume-title":"Retrieved","year":"2019","unstructured":"Google. [n.d.]. OSS-Fuzz issue 1506. Retrieved August 15, 2019 from https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/detail?id=1506"},{"key":"e_1_3_2_1_23_1","volume-title":"Retrieved","year":"2019","unstructured":"Google. [n.d.]. OSS-Fuzz issue 1903. Retrieved August 15, 2019 from https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/detail?id=1903"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2012.46"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11219-015-9273-7"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.43"},{"key":"e_1_3_2_1_28_1","volume-title":"26th {USENIX} Security Symposium ({USENIX} Security 17). 989--1006.","author":"Jia Xiangkun","unstructured":"Xiangkun Jia, Chao Zhang, Purui Su, Yi Yang, Huafeng Huang, and Dengguo Feng. 2017. Towards efficient heap overflow discovery. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 989--1006."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM.2016.15"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.02.007"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.62"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134072"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106295"},{"key":"e_1_3_2_1_34_1","volume-title":"Retrieved","author":"MITRE.","year":"2019","unstructured":"MITRE. [n.d.]. Common Vulnerabilities and Exposures. Retrieved August 15, 2019 from https:\/\/cve.mitre.org"},{"key":"e_1_3_2_1_35_1","volume-title":"Retrieved","author":"MITRE.","year":"2019","unstructured":"MITRE. [n.d.]. Common Weakness Enumetation. Retrieved August 15, 2019 from https:\/\/cwe.mitre.org"},{"key":"e_1_3_2_1_36_1","unstructured":"MITRE. [n.d.]. CVE-2009-2767. Retrieved August 15 2019 from https:\/\/www.cvedetails.com\/cve\/CVE-2009-2767"},{"key":"e_1_3_2_1_37_1","unstructured":"MITRE. [n.d.]. CVE-2010-4250. Retrieved August 15 2019 from https:\/\/www.cvedetails.com\/cve\/CVE-2010-4250"},{"key":"e_1_3_2_1_38_1","unstructured":"MITRE. [n.d.]. CVE-2015-3636. Retrieved August 15 2019 from https:\/\/www.cvedetails.com\/cve\/CVE-2015-3636"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2746194.2746198"},{"key":"e_1_3_2_1_40_1","volume-title":"Retrieved","author":"U.S. National Institute of Standards and Technology. [n.d.].","year":"2019","unstructured":"U.S. National Institute of Standards and Technology. [n.d.]. National Vulnerability Database (NVD). Retrieved August 15, 2019 from https:\/\/nvd.nist.gov\/vuln\/search\/statistics?form_type=Basic&results_type=statistics&search_type=last3years"},{"key":"e_1_3_2_1_41_1","volume-title":"USENIX Security Symposium. 93--104","author":"Ozment Andy","year":"2006","unstructured":"Andy Ozment and Stuart E Schechter. 2006. Milk or wine: does software security improve with age?. In USENIX Security Symposium. 93--104."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"e_1_3_2_1_43_1","volume-title":"24th {USENIX} Security Symposium ({USENIX} Security 15). 49--64.","author":"Ramos David A","unstructured":"David A Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: Correctness checking for real code. In 24th {USENIX} Security Symposium ({USENIX} Security 15). 49--64."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWESEP.2018.00013"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1108\/eb024706"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2014.2340398"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/1414004.1414065"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-011-9190-8"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194018500055"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884857"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2016.2584050"},{"key":"e_1_3_2_1_55_1","unstructured":"Dimitri van Heesch. [n.d.]. Doxygen. Retrieved July 1 2019 from http:\/\/www.doxygen.nl\/"},{"key":"e_1_3_2_1_56_1","unstructured":"Wikipedia. [n.d.]. DirtyCow. Retrieved August 15 2019 from https:\/\/en.wikipedia.org\/wiki\/Dirty_COW"},{"key":"e_1_3_2_1_57_1","unstructured":"Wikipedia. [n.d.]. Heartbleed. Retrieved August 15 2019 from https:\/\/en.wikipedia.org\/wiki\/Heartbleed"},{"key":"e_1_3_2_1_58_1","unstructured":"Wikipedia. [n.d.]. SandWorm. Retrieved August 15 2019 from https:\/\/www.cvedetails.com\/cve\/CVE-2014-4114"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.49"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950353"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985457"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2010.32"}],"event":{"name":"ICSE '20: 42nd International Conference on Software Engineering","location":"Seoul South Korea","acronym":"ICSE '20","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","KIISE Korean Institute of Information Scientists and Engineers","IEEE CS"]},"container-title":["Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3377811.3380923","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3377811.3380923","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:41:40Z","timestamp":1750200100000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3377811.3380923"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,27]]},"references-count":62,"alternative-id":["10.1145\/3377811.3380923","10.1145\/3377811"],"URL":"https:\/\/doi.org\/10.1145\/3377811.3380923","relation":{},"subject":[],"published":{"date-parts":[[2020,6,27]]},"assertion":[{"value":"2020-10-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}