TK researchers had a paper accepted to be presented at the flagship USENIX Security Symposium 2022. In the paper, TK researchers present a new approach to estimate how long vulnerabilities live in the codebases of popular FOSS projects (their lifetimes). They utilize this approach to perform a large-scale empirical measurement study on 11 FOSS projects. They find that vulnerabilities remain in the code for 4 years (on average) before they are discovered and fixed, varying significantly between projects (~2 years for Chromium, ~7 years for OpenSSL). The introduced approach is of general importance as it enables the study of several aspects of software security through the lens of vulnerability lifetimes.

Citation info:

• Title: How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes
• Authors: Nikolaos Alexopoulos, Manuel Brack, Jan Philipp Wagner, Tim Grube, and Max Mühlhäuser (Telecooperation Lab, Technical University of Darmstadt)
• Link: https://www.usenix.org/conference/usenixsecurity22/presentation/alexopoulos