An investigation of software vulnerabilities in open source software projects using data from publicly-available online sources.

It appears your Web browser is not configured to display PDF files. Download adobe Acrobat or click here to download the PDF file.

Click here to download the PDF file.


Murshed, S M Monzur




Software vulnerabilities is an active area of research, but little is known about how publicly-observable properties of open source software projects and developer communities relate to the time taken to discover and fix vulnerabilities in the projects’ software. This thesis examines that relationship using data harvested from online sources about a sample of 60 open source content management system (CMS) projects and 1268 vulnerabilities affecting the software produced by those projects. Combining project release histories with metrics from two online databases provided reliable proxy dates for vulnerability introduction and fix, but not discovery. Higher commit density (a proxy for project activity) was associated with shorter time of exposure. The lifecycle model, data collection workflow, and software scripts will enable researchers to replicate and extend this analysis, and the evidence-based recommendations provided here will enable improvements to the coverage, quality, access, and integration of online sources for project and vulnerability metrics.


Computer Science
Business Administration - Management
Education - Technology




Carleton University

Thesis Degree Name: 

Master of Applied Science: 

Thesis Degree Level: 


Thesis Degree Discipline: 

Engineering , Technology Innovation Management

Parent Collection: 

Theses and Dissertations

Items in CURVE are protected by copyright, with all rights reserved, unless otherwise indicated. They are made available with permission from the author(s).