Paper accepted at USENIX Security '22


TK researchers had a paper accepted to be presented at the flagship USENIX Security Symposium 2022. In the paper, TK researchers present a new approach to estimate how long vulnerabilities live in the codebases of popular FOSS projects (their lifetimes). They utilize this approach to perform a large-scale empirical measurement study on 11 FOSS projects. They find that vulnerabilities remain in the code for 4 years (on average) before they are discovered and fixed, varying significantly between projects (~2 years for Chromium, ~7 years for OpenSSL). The introduced approach is of general importance as it enables the study of several aspects of software security through the lens of vulnerability lifetimes.

Citation info: