{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T22:33:17Z","timestamp":1769725997846,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":17,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,6,14]],"date-time":"2023-06-14T00:00:00Z","timestamp":1686700800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"SFRH\/BD\/143319\/2019"},{"name":"UIDB\/50021\/2020"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,6,14]]},"DOI":"10.1145\/3593434.3593481","type":"proceedings-article","created":{"date-parts":[[2023,5,30]],"date-time":"2023-05-30T12:54:01Z","timestamp":1685451241000},"page":"196-199","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Are security commit messages informative? Not enough!"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5690-2279","authenticated-orcid":false,"given":"Sofia","family":"Reis","sequence":"first","affiliation":[{"name":"Instituto Superior T\u00e9cnico, U. Lisbon, Portugal and INESC-ID, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3734-3157","authenticated-orcid":false,"given":"Rui","family":"Abreu","sequence":"additional","affiliation":[{"name":"Faculty of Engineering of the University of Porto, Portugal and INESC-ID, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5579-6961","authenticated-orcid":false,"given":"Corina","family":"Pasareanu","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,6,14]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Russell Brandom. 2017. Former Equifax CEO blames breach on a single person who failed to deploy patch. https:\/\/www.theverge.com\/2017\/10\/3\/16410806\/equifax-ceo-blame-breach-patch-congress-testimony."},{"key":"e_1_3_2_1_2_1","unstructured":"Dan Goodin. 2017. Failure to patch two-month-old bug led to massive Equifax breach. https:\/\/arstechnica.com\/information-technology\/2017\/09\/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug\/."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1184\/R1\/12367340.v1"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In CCS\u201917. 2201\u20132215.","DOI":"10.1145\/3133956.3134072"},{"key":"e_1_3_2_1_5_1","unstructured":"Frank Li Lisa Rogers Arunesh Mathur Nathan Malkin and Marshini Chetty. 2019. Keepers of the Machines: Examining How System Administrators Manage Software Updates For Multiple Machines. In SOUPS @ USENIX\u201919."},{"key":"e_1_3_2_1_6_1","volume-title":"Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software.","author":"Ponta Serena\u00a0Elisa","year":"2018","unstructured":"Serena\u00a0Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2018. Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software. (2018)."},{"key":"e_1_3_2_1_7_1","volume-title":"MSR\u201919","author":"Ponta E.","unstructured":"Serena\u00a0E. Ponta, Henrik Plate, Antonino Sabetta, Michele Bezzi, and C\u00e9dric Dangremont. 2019. A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software. In MSR\u201919. IEEE Press, 383\u2013387."},{"key":"e_1_3_2_1_8_1","volume-title":"SECBENCH: A Database of Real Security Vulnerabilities.. In SecSE @ ESORICS. 69\u201385.","author":"Reis Sofia","year":"2017","unstructured":"Sofia Reis and Rui Abreu. 2017. SECBENCH: A Database of Real Security Vulnerabilities.. In SecSE @ ESORICS. 69\u201385."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528513"},{"key":"e_1_3_2_1_10_1","unstructured":"Sofia Reis Hakan Erdogmus Rui Abreu and Corina Pasarenau. 2023. Best Practices when Writing Security Commit Messages: Are we there yet?"},{"key":"e_1_3_2_1_11_1","unstructured":"Sofia Reis Corina Pasareanu Rui Abreu and Hakan Erdogmus. 2023. SECOMlint: A linter for Security Commit Messages."},{"key":"e_1_3_2_1_12_1","volume-title":"SSPCatcher: Learning to catch security patches. Empirical Software Engineering6","author":"Sawadogo D.","year":"2022","unstructured":"Arthur\u00a0D. Sawadogo, Tegawend\u00e9F. Bissyand\u00e9, Naouel Moha, Kevin Allix, Jacques Klein, Li Li, and Yves Le\u00a0Traon. 2022. SSPCatcher: Learning to catch security patches. Empirical Software Engineering6 (2022), 151."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Murugiah Souppaya and Karen Scarfone. 2013. Guide to Enterprise Patch Management Technologies. https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-40r3.pdf.","DOI":"10.6028\/NIST.SP.800-40r3"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Yingchen Tian Yuxia Zhang Klaas-Jan Stol Lin Jiang and Hui Liu. 2022. What makes a good commit message?. In ICSE\u201922. ACM.","DOI":"10.1145\/3510003.3510205"},{"key":"e_1_3_2_1_15_1","unstructured":"Christian Tiefenau Maximilian H\u00e4ring Katharina Krombholz and Emanuel Von\u00a0Zezschwitz. 2020. Security Availability and Multiple Information Sources: Exploring Update Behavior of System Administrators(SOUPS\u201920)."},{"key":"e_1_3_2_1_16_1","unstructured":"Zheng Zhang. 2021. An Investigation of the Android Kernel Patch Ecosystem. In USENIX\u201921\u2019."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"crossref","unstructured":"Jiayuan Zhou Michael Pacheco Zhiyuan Wan Xin Xia David Lo Yuan Wang and Ahmed\u00a0E. Hassan. 2021. Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes. In ASE\u201921.","DOI":"10.1109\/ASE51524.2021.9678720"}],"event":{"name":"EASE '23: The International Conference on Evaluation and Assessment in Software Engineering","location":"Oulu Finland","acronym":"EASE '23"},"container-title":["Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3593434.3593481","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3593434.3593481","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T07:09:34Z","timestamp":1755846574000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3593434.3593481"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,14]]},"references-count":17,"alternative-id":["10.1145\/3593434.3593481","10.1145\/3593434"],"URL":"https:\/\/doi.org\/10.1145\/3593434.3593481","relation":{},"subject":[],"published":{"date-parts":[[2023,6,14]]},"assertion":[{"value":"2023-06-14","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}