{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T04:09:36Z","timestamp":1781755776173,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":76,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,7,10]],"date-time":"2024-07-10T00:00:00Z","timestamp":1720569600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2021YFB2701102"],"award-info":[{"award-number":["2021YFB2701102"]}]},{"name":"National Natural Science Foundation of China","award":["62372398, 7234202, U20A20173"],"award-info":[{"award-number":["62372398, 7234202, U20A20173"]}]},{"name":"Ningbo Natural Science Foundation","award":["2023J292"],"award-info":[{"award-number":["2023J292"]}]},{"name":"Fundamental Research Funds for the Central Universities","award":["226-2022-00064"],"award-info":[{"award-number":["226-2022-00064"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,7,10]]},"DOI":"10.1145\/3663529.3663835","type":"proceedings-article","created":{"date-parts":[[2024,7,10]],"date-time":"2024-07-10T19:43:13Z","timestamp":1720640593000},"page":"138-149","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Unveil the Mystery of Critical Software Vulnerabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9471-9638","authenticated-orcid":false,"given":"Shengyi","family":"Pan","sequence":"first","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1846-0921","authenticated-orcid":false,"given":"Lingfeng","family":"Bao","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China \/ Hangzhou High-Tech Zone (Binjiang) Blockchain and Data Security Research Institute, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5181-3146","authenticated-orcid":false,"given":"Jiayuan","family":"Zhou","sequence":"additional","affiliation":[{"name":"Huawei, Waterloo, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0093-3292","authenticated-orcid":false,"given":"Xing","family":"Hu","sequence":"additional","affiliation":[{"name":"Zhejiang University, Ningbo, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6302-3256","authenticated-orcid":false,"given":"Xin","family":"Xia","sequence":"additional","affiliation":[{"name":"Huawei, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2615-9792","authenticated-orcid":false,"given":"Shanping","family":"Li","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2024,7,10]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2019. Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement. https:\/\/www.nytimes.com\/2019\/07\/22\/business\/equifax-settlement.html"},{"key":"e_1_3_2_1_2_1","unstructured":"2022. GitHub | Open Source Supply Chain Security. https:\/\/github.blog\/2022-11-09-improving-open-source-supply-chain-security\/"},{"key":"e_1_3_2_1_3_1","unstructured":"2022. GitHub Octoverse 2022: 10 years of tracking open source. https:\/\/github.blog\/2022-11-17-octoverse-2022-10-years-of-tracking-open-source\/"},{"key":"e_1_3_2_1_4_1","unstructured":"2023. BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems | CISA. https:\/\/www.cisa.gov\/news-events\/directives\/bod-19-02-vulnerability-remediation-requirements-internet-accessible-systems"},{"key":"e_1_3_2_1_5_1","unstructured":"2023. Common Vulnerabilities and Exposure. https:\/\/www.cve.org\/"},{"key":"e_1_3_2_1_6_1","unstructured":"2023. Common Vulnerability Scoring System. https:\/\/www.first.org\/cvss\/"},{"key":"e_1_3_2_1_7_1","unstructured":"2023. Common Vulnerability Scoring System - Wikipedia. https:\/\/en.wikipedia.org\/wiki\/Common_Vulnerability_Scoring_System"},{"key":"e_1_3_2_1_8_1","unstructured":"2023. Common Weakness Enumeration. https:\/\/cwe.mitre.org\/index.html"},{"key":"e_1_3_2_1_9_1","unstructured":"2023. CVE-2017-5638. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638"},{"key":"e_1_3_2_1_10_1","unstructured":"2023. CVE-2021-33823. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-33823"},{"key":"e_1_3_2_1_11_1","unstructured":"2023. CVE-2021-36081. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-36081"},{"key":"e_1_3_2_1_12_1","unstructured":"2023. CVE-2021-442288. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-442288"},{"key":"e_1_3_2_1_13_1","unstructured":"2023. CVE-2022-31836. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-31836"},{"key":"e_1_3_2_1_14_1","unstructured":"2023. CVSS 3.1 Specification Document. https:\/\/www.first.org\/cvss\/v3.1\/specification-document"},{"key":"e_1_3_2_1_15_1","unstructured":"2023. CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). https:\/\/cwe.mitre.org\/data\/definitions\/1321.html"},{"key":"e_1_3_2_1_16_1","unstructured":"2023. CWE Top 25 Most Dangerous Software Weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2022\/2022_cwe_top25.html"},{"key":"e_1_3_2_1_17_1","unstructured":"2023. EU Cloud Certification Scheme. https:\/\/ec.europa.eu\/newsroom\/cipr\/items\/713799\/en"},{"key":"e_1_3_2_1_18_1","unstructured":"2023. GitHub Docs - Autolinked references and URLs. https:\/\/docs.github.com\/en\/get-started\/writing-on-github\/working-with-advanced-formatting\/autolinked-references-and-urls"},{"key":"e_1_3_2_1_19_1","unstructured":"2023. GitHub GraphQL API. https:\/\/docs.github.com\/en\/graphql"},{"key":"e_1_3_2_1_20_1","unstructured":"2023. GitHub GraphQL API - securityadvisory. https:\/\/docs.github.com\/en\/graphql\/reference\/objects#securityadvisory"},{"key":"e_1_3_2_1_21_1","unstructured":"2023. GitHub Issue Report: beego\/beego issue #4961. https:\/\/github.com\/beego\/beego\/issues\/4961"},{"key":"e_1_3_2_1_22_1","unstructured":"2023. GitHub Issue Report: blackears\/svgSalamander issue #11. https:\/\/github.com\/blackears\/svgSalamander\/issues\/11"},{"key":"e_1_3_2_1_23_1","unstructured":"2023. GitHub Issue Report: blackears\/svgSalamander issue #33. https:\/\/github.com\/blackears\/svgSalamander\/pull\/33"},{"key":"e_1_3_2_1_24_1","unstructured":"2023. GitHub Issue Report: blackears\/svgSalamander pull #12. https:\/\/github.com\/blackears\/svgSalamander\/pull\/12"},{"key":"e_1_3_2_1_25_1","unstructured":"2023. GitHub Pull Request: actix\/actix-net pull #113. https:\/\/github.com\/actix\/actix-net\/pull\/113"},{"key":"e_1_3_2_1_26_1","unstructured":"2023. GitHub Pull Request: actix\/actix-net pull #158. https:\/\/github.com\/actix\/actix-net\/pull\/158"},{"key":"e_1_3_2_1_27_1","unstructured":"2023. GitHub Pull Request: ckeditor\/ckeditor4 pull #49. https:\/\/github.com\/ckeditor\/ckeditor4\/pull\/49"},{"key":"e_1_3_2_1_28_1","unstructured":"2023. GitHub Pull Request: libreoffice\/core pull #2924. https:\/\/github.com\/pjsip\/pjproject\/pull\/2924"},{"key":"e_1_3_2_1_29_1","unstructured":"2023. GitHub Pull Request: OpenRC\/openrc pull #462. https:\/\/github.com\/OpenRC\/openrc\/pull\/462"},{"key":"e_1_3_2_1_30_1","unstructured":"2023. GitHub Repository: facebook\/folly. https:\/\/github.com\/facebook\/folly"},{"key":"e_1_3_2_1_31_1","unstructured":"2023. GitHub Repository: tesseract-ocr\/tesseract. https:\/\/github.com\/tesseract-ocr\/tesseract"},{"key":"e_1_3_2_1_32_1","unstructured":"2023. GitHub REST API. https:\/\/docs.github.com\/en\/rest?apiVersion=2022-11-28"},{"key":"e_1_3_2_1_33_1","unstructured":"2023. GitHub REST API - IR timeline. https:\/\/docs.github.com\/en\/rest\/issues\/timeline?apiVersion=2022-11-28"},{"key":"e_1_3_2_1_34_1","unstructured":"2023. Google Project Zero. https:\/\/googleprojectzero.blogspot.com\/2021\/04\/policy-and-disclosure-2021-edition.html"},{"key":"e_1_3_2_1_35_1","unstructured":"2023. Introducing SLAs for Vulnerability Management. https:\/\/web.archive.org\/web\/20230327180000\/https:\/www.kennasecurity.com\/blog\/vulnerability-management-sla\/"},{"key":"e_1_3_2_1_36_1","unstructured":"2023. ISO\/IEC 30111:2019 Information technology Security techniques Vulnerability handling processes. https:\/\/www.iso.org\/standard\/69725.html"},{"key":"e_1_3_2_1_37_1","unstructured":"2023. National Vulnerability Database. https:\/\/nvd.nist.gov\/"},{"key":"e_1_3_2_1_38_1","unstructured":"2023. NVD - CVSS v3.1 Official Support. https:\/\/nvd.nist.gov\/general\/News\/CVSS-v3-1-Official-Support"},{"key":"e_1_3_2_1_39_1","unstructured":"2023. NVD - Retirement of CVSS v2. https:\/\/nvd.nist.gov\/general\/news\/retire-cvss-v2"},{"key":"e_1_3_2_1_40_1","unstructured":"2023. Organizations Fix Only 1 in 10 Vulnerabilities Monthly. https:\/\/www.msspalert.com\/news\/organizations-fix-only-1-in-10-vulnerabilities-monthly"},{"key":"e_1_3_2_1_41_1","unstructured":"2023. OSV Vulnerability Database. https:\/\/osv.dev\/"},{"key":"e_1_3_2_1_42_1","unstructured":"2023. Riot\/Issue-10753. https:\/\/github.com\/riot-os\/riot\/issues\/10753"},{"key":"e_1_3_2_1_43_1","unstructured":"2023. Security Policy: facebook\/folly. https:\/\/github.com\/facebook\/folly\/security\/policy"},{"key":"e_1_3_2_1_44_1","unstructured":"2023. Synk | 2023 Software Supply Chain Attack Report. https:\/\/go.snyk.io\/2023-supply-chain-attacks-report.html"},{"key":"e_1_3_2_1_45_1","unstructured":"2023. Synopsys 2023 Open Source Security and Risk Analysis Report. https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html"},{"key":"e_1_3_2_1_46_1","unstructured":"2023. Using SLAs for Better Vulnerability Management & Remediation: Improving Developer\u2019s Workflow - Phoenix Security. https:\/\/phoenix.security\/using-slas-for-better-vulnerability-management-remediation-improving-developers-workflow\/"},{"key":"e_1_3_2_1_47_1","unstructured":"2023. Vulnerability DB | Synk. https:\/\/security.snyk.io\/vuln"},{"key":"e_1_3_2_1_48_1","unstructured":"2023. Vulnerability Management Overview. https:\/\/handbook.gitlab.com\/handbook\/security\/threat-management\/vulnerability-management\/"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","unstructured":"2024. The Collected Dataset. https:\/\/doi.org\/10.5281\/zenodo.11179523 10.5281\/zenodo.11179523","DOI":"10.5281\/zenodo.11179523"},{"key":"e_1_3_2_1_50_1","unstructured":"2024. Vulnerability Management SLAs Guide. https:\/\/hostedscan.com\/blog\/vulnerability-management-slas-guide"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382284"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3087402"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3556969"},{"key":"e_1_3_2_1_55_1","volume-title":"Vulnerability management","author":"Foreman Park","unstructured":"Park Foreman. 2019. Vulnerability management. CRC Press."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528452"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070510"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3140868"},{"key":"e_1_3_2_1_59_1","article-title":"Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages","author":"Imtiaz Nasif","year":"2022","unstructured":"Nasif Imtiaz, Aniqa Khanom, and Laurie Williams. 2022. Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages. IEEE Transactions on Software Engineering.","journal-title":"IEEE Transactions on Software Engineering."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3529757"},{"key":"e_1_3_2_1_61_1","volume-title":"Proceedings of the 19th International Conference on Mining Software Repositories. 621\u2013633","author":"Minh Le Triet Huynh","year":"2022","unstructured":"Triet Huynh Minh Le and M Ali Babar. 2022. On the use of fine-grained vulnerable code statements for software vulnerability assessment models. In Proceedings of the 19th International Conference on Mining Software Repositories. 621\u2013633."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678622"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134072"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510177"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380923"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330577"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"crossref","unstructured":"Henry B Mann and Donald R Whitney. 1947. On a test of whether one of two random variables is stochastically larger than the other. The annals of mathematical statistics 50\u201360.","DOI":"10.1214\/aoms\/1177730491"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00088"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639110"},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3549156"},{"key":"e_1_3_2_1_72_1","volume-title":"Jacques Klein, and Naouel Moha.","author":"Sawadogo Arthur D","year":"2021","unstructured":"Arthur D Sawadogo, Quentin Guimard, Tegawend\u00e9 F Bissyand\u00e9, Abdoul Kader Kabor\u00e9, Jacques Klein, and Naouel Moha. 2021. Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We? arXiv preprint arXiv:2112.10123."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2019.00056"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510229"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678720"},{"key":"e_1_3_2_1_76_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th USENIX Security Symposium (USENIX Security 19). 995\u20131010."}],"event":{"name":"FSE '24: 32nd ACM International Conference on the Foundations of Software Engineering","location":"Porto de Galinhas Brazil","acronym":"FSE '24","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3663529.3663835","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3663529.3663835","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T23:44:21Z","timestamp":1750290261000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3663529.3663835"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,10]]},"references-count":76,"alternative-id":["10.1145\/3663529.3663835","10.1145\/3663529"],"URL":"https:\/\/doi.org\/10.1145\/3663529.3663835","relation":{},"subject":[],"published":{"date-parts":[[2024,7,10]]},"assertion":[{"value":"2024-07-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}