{"id":"https://openalex.org/W7127973371","doi":"https://doi.org/10.1007/s10664-025-10794-z","title":"Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries","display_name":"Security by documentation? characterizing GitHub SECURITY.md policy and their adoption in Python libraries","publication_year":2026,"publication_date":"2026-02-06","ids":{"openalex":"https://openalex.org/W7127973371","doi":"https://doi.org/10.1007/s10664-025-10794-z"},"language":"en","primary_location":{"id":"doi:10.1007/s10664-025-10794-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10794-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10794-z.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10794-z.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5030198911","display_name":"Morakot Choetkiertikul","orcid":null},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Morakot Choetkiertikul","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5116249001","display_name":"Sushawapak Kancharoendee","orcid":null},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Sushawapak Kancharoendee","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5116249003","display_name":"Chanikarn Jongyingyos","orcid":null},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Chanikarn Jongyingyos","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5116249002","display_name":"Thanat Phichitphanphong","orcid":null},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Thanat Phichitphanphong","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125180044","display_name":"Chaiyong Ragkhitwetsagul","orcid":null},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":true,"raw_author_name":"Chaiyong Ragkhitwetsagul","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":"https://orcid.org/0009-0001-8386-9558","affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5070182381","display_name":"Brittany Reid","orcid":null},"institutions":[{"id":"https://openalex.org/I75917431","display_name":"Nara Institute of Science and Technology","ror":"https://ror.org/05bhada84","country_code":"JP","type":"education","lineage":["https://openalex.org/I75917431"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Brittany Reid","raw_affiliation_strings":["Graduate School of Information Science, Nara Institute of Science and Technology (NAIST), Ikoma, Japan"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Graduate School of Information Science, Nara Institute of Science and Technology (NAIST), Ikoma, Japan","institution_ids":["https://openalex.org/I75917431"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5091820517","display_name":"Raula Gaikovina Kula","orcid":"https://orcid.org/0000-0003-2324-0608"},"institutions":[{"id":"https://openalex.org/I98285908","display_name":"The University of Osaka","ror":"https://ror.org/035t8zc32","country_code":"JP","type":"education","lineage":["https://openalex.org/I98285908"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Raula Gaikovina Kula","raw_affiliation_strings":["Graduate School of Information Science and Technology, The University of Osaka, Suita, Japan"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Graduate School of Information Science and Technology, The University of Osaka, Suita, Japan","institution_ids":["https://openalex.org/I98285908"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5099077333","display_name":"Thanwadee Sunetnanta","orcid":"https://orcid.org/0000-0002-1436-0352"},"institutions":[{"id":"https://openalex.org/I25399158","display_name":"Mahidol University","ror":"https://ror.org/01znkr924","country_code":"TH","type":"education","lineage":["https://openalex.org/I25399158"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Thanwadee Sunetnanta","raw_affiliation_strings":["Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand","institution_ids":["https://openalex.org/I25399158"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5125180044"],"corresponding_institution_ids":["https://openalex.org/I25399158"],"apc_list":{"value":2290,"currency":"EUR","value_usd":2890},"apc_paid":{"value":2290,"currency":"EUR","value_usd":2890},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.18220236,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"31","issue":"3","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6402999758720398,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6402999758720398,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.14000000059604645,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.04729999974370003,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.5777999758720398},{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.5690000057220459},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5467000007629395},{"id":"https://openalex.org/keywords/information-security-standards","display_name":"Information security standards","score":0.49410000443458557},{"id":"https://openalex.org/keywords/application-security","display_name":"Application security","score":0.4772000014781952},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.47110000252723694},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.41850000619888306},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.4113999903202057}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5792999863624573},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.5777999758720398},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.5690000057220459},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5467000007629395},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5289999842643738},{"id":"https://openalex.org/C139547956","wikidata":"https://www.wikidata.org/wiki/Q6031202","display_name":"Information security standards","level":5,"score":0.49410000443458557},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.4772000014781952},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.47110000252723694},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.41850000619888306},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.4113999903202057},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.4108999967575073},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.40230000019073486},{"id":"https://openalex.org/C13159133","wikidata":"https://www.wikidata.org/wiki/Q365674","display_name":"Security engineering","level":5,"score":0.4011000096797943},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3840000033378601},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.3743000030517578},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.3345000147819519},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.32199999690055847},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.30799999833106995},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.30140000581741333},{"id":"https://openalex.org/C117110713","wikidata":"https://www.wikidata.org/wiki/Q3394676","display_name":"Network security policy","level":4,"score":0.29170000553131104},{"id":"https://openalex.org/C180823521","wikidata":"https://www.wikidata.org/wiki/Q1662502","display_name":"Certified Information Security Manager","level":5,"score":0.2897000014781952},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.2800000011920929},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.25929999351501465}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s10664-025-10794-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10794-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10794-z.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s10664-025-10794-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10794-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10794-z.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.4734444320201874}],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W7127973371.pdf"},"referenced_works_count":20,"referenced_works":["https://openalex.org/W1972978214","https://openalex.org/W1973429805","https://openalex.org/W2053154970","https://openalex.org/W2081580037","https://openalex.org/W2107024044","https://openalex.org/W2143017621","https://openalex.org/W2147956392","https://openalex.org/W2481003398","https://openalex.org/W2962994070","https://openalex.org/W3121596715","https://openalex.org/W3124116687","https://openalex.org/W4226258240","https://openalex.org/W4288057810","https://openalex.org/W4313564346","https://openalex.org/W4360948905","https://openalex.org/W4380982237","https://openalex.org/W4383898619","https://openalex.org/W4385324206","https://openalex.org/W4388675555","https://openalex.org/W4410553123"],"related_works":[],"abstract_inverted_index":{"With":[0],"security":[1,9,35,46,54,70,98,102,111,123,136,142],"in":[2],"open-source":[3,145],"software":[4],"development":[5],"increasingly":[6],"becoming":[7],"crucial,":[8],"policies":[10,36,55,71,88],"are":[11],"one":[12],"way":[13],"to":[14,63,138],"manage":[15],"vulnerabilities":[16],"and":[17,84,89,96,108,134],"guide":[18],"users":[19],"toward":[20],"safe":[21],"practices.":[22,124],"To":[23],"support":[24],"secure":[25],"development,":[26],"platforms":[27],"like":[28],"GitHub":[29],"provide":[30],"a":[31,132],"dedicated":[32],"section":[33],"for":[34],"within":[37],"repositories.":[38],"Existing":[39],"studies":[40],"focus":[41],"on":[42,78],"the":[43,49,53,69,82,91,128,140],"adoption":[44],"of":[45,52,72,86,130,144],"policies.":[47,112],"However,":[48],"detailed":[50],"content":[51,85],"has":[56],"not":[57],"been":[58],"examined.":[59],"Our":[60],"study":[61,126],"aims":[62],"fill":[64],"this":[65],"gap":[66],"by":[67,100],"analyzing":[68],"679":[73],"PyPI":[74],"Python":[75],"libraries":[76],"hosted":[77],"GitHub.":[79],"We":[80],"examine":[81],"characteristics":[83,95],"existing":[87],"investigate":[90],"relationship":[92],"with":[93,107,118],"project":[94],"recommended":[97,122],"practices":[99,143],"comparing":[101],"practice":[103],"assessments":[104],"between":[105],"projects":[106,117],"without":[109],"established":[110],"The":[113],"result":[114],"indicates":[115],"that":[116],"security.md":[119],"shows":[120],"stronger":[121],"This":[125],"highlights":[127],"importance":[129],"adopting":[131],"clear":[133],"comprehensive":[135],"policy":[137],"enhance":[139],"overall":[141],"projects.":[146]},"counts_by_year":[],"updated_date":"2026-03-11T06:11:40.159057","created_date":"2026-02-07T00:00:00"}