{"id":"https://openalex.org/W7133356629","doi":"https://doi.org/10.1016/j.infsof.2026.108086","title":"How vulnerability explanations help software practitioners confirm and fix code vulnerabilities","display_name":"How vulnerability explanations help software practitioners confirm and fix code vulnerabilities","publication_year":2026,"publication_date":"2026-03-03","ids":{"openalex":"https://openalex.org/W7133356629","doi":"https://doi.org/10.1016/j.infsof.2026.108086"},"language":"en","primary_location":{"id":"doi:10.1016/j.infsof.2026.108086","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108086","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1016/j.infsof.2026.108086","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5027571552","display_name":"Fahad Al Debeyan","orcid":"https://orcid.org/0000-0002-3981-2722"},"institutions":[{"id":"https://openalex.org/I28022161","display_name":"King Saud University","ror":"https://ror.org/02f81g417","country_code":"SA","type":"education","lineage":["https://openalex.org/I28022161"]},{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB","SA"],"is_corresponding":true,"raw_author_name":"Fahad Al Debeyan","raw_affiliation_strings":["College of Computer and Information Sciences, King Saud University, Ryiadh, Saudi Arabia","School of Computing and Communications, Lancaster University, Lancaster, UK"],"affiliations":[{"raw_affiliation_string":"College of Computer and Information Sciences, King Saud University, Ryiadh, Saudi Arabia","institution_ids":["https://openalex.org/I28022161"]},{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, Lancaster, UK","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125642470","display_name":"Tracy Hall","orcid":null},"institutions":[{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Tracy Hall","raw_affiliation_strings":["School of Computing and Communications, Lancaster University, Lancaster, UK"],"affiliations":[{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, Lancaster, UK","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122840069","display_name":"Lech Madeyski","orcid":null},"institutions":[{"id":"https://openalex.org/I11923345","display_name":"Wroc\u0142aw University of Science and Technology","ror":"https://ror.org/008fyn775","country_code":"PL","type":"education","lineage":["https://openalex.org/I11923345"]},{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]},{"id":"https://openalex.org/I686019","display_name":"AGH University of Krakow","ror":"https://ror.org/00bas1c41","country_code":"PL","type":"education","lineage":["https://openalex.org/I686019"]}],"countries":["GB","PL"],"is_corresponding":false,"raw_author_name":"Lech Madeyski","raw_affiliation_strings":["Department of Applied Informatics, Wroclaw University of Science and Technology, Wroclaw, Poland","School of Computing and Communications, Lancaster University, Lancaster, UK"],"affiliations":[{"raw_affiliation_string":"Department of Applied Informatics, Wroclaw University of Science and Technology, Wroclaw, Poland","institution_ids":["https://openalex.org/I11923345","https://openalex.org/I686019"]},{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, Lancaster, UK","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5022899674","display_name":"Emily Winter","orcid":"https://orcid.org/0000-0003-3314-7300"},"institutions":[{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Emily Winter","raw_affiliation_strings":["School of Computing and Communications, Lancaster University, Lancaster, UK"],"affiliations":[{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, Lancaster, UK","institution_ids":["https://openalex.org/I67415387"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5027571552"],"corresponding_institution_ids":["https://openalex.org/I28022161","https://openalex.org/I67415387"],"apc_list":{"value":3350,"currency":"USD","value_usd":3350},"apc_paid":{"value":3350,"currency":"USD","value_usd":3350},"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.4691994,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"195","issue":null,"first_page":"108086","last_page":"108086"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.35350000858306885,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.35350000858306885,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.15629999339580536,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.07620000094175339,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.6687999963760376},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6190999746322632},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5550000071525574},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5273000001907349},{"id":"https://openalex.org/keywords/coding","display_name":"Coding (social sciences)","score":0.4560000002384186},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.453900009393692},{"id":"https://openalex.org/keywords/recall","display_name":"Recall","score":0.4406999945640564},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.3774999976158142}],"concepts":[{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.6687999963760376},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6190999746322632},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5859000086784363},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5550000071525574},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5273000001907349},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.4560000002384186},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.453900009393692},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4471000134944916},{"id":"https://openalex.org/C100660578","wikidata":"https://www.wikidata.org/wiki/Q18733","display_name":"Recall","level":2,"score":0.4406999945640564},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.37869998812675476},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3774999976158142},{"id":"https://openalex.org/C150292731","wikidata":"https://www.wikidata.org/wiki/Q1342704","display_name":"Code review","level":5,"score":0.3698999881744385},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.3416000008583069},{"id":"https://openalex.org/C133237599","wikidata":"https://www.wikidata.org/wiki/Q2295111","display_name":"Code smell","level":5,"score":0.3215999901294708},{"id":"https://openalex.org/C2781249084","wikidata":"https://www.wikidata.org/wiki/Q908656","display_name":"Preference","level":2,"score":0.31790000200271606},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.3172999918460846},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.301800012588501},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.29429998993873596},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.29179999232292175},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.29159998893737793},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.2612000107765198},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.2581000030040741},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2556999921798706},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.2513999938964844}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1016/j.infsof.2026.108086","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108086","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1016/j.infsof.2026.108086","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108086","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.42213311791419983,"display_name":"Reduced inequalities","id":"https://metadata.un.org/sdg/10"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W1685057348","https://openalex.org/W1984041362","https://openalex.org/W1997646511","https://openalex.org/W2585292421","https://openalex.org/W2624094989","https://openalex.org/W2779206865","https://openalex.org/W2781491433","https://openalex.org/W2885030880","https://openalex.org/W2968249509","https://openalex.org/W2984772254","https://openalex.org/W2990685757","https://openalex.org/W2998879504","https://openalex.org/W3025207818","https://openalex.org/W3035874819","https://openalex.org/W3037099619","https://openalex.org/W3083954092","https://openalex.org/W3156106752","https://openalex.org/W3202451838","https://openalex.org/W4297399257","https://openalex.org/W4299575843","https://openalex.org/W4308653657","https://openalex.org/W4312436517","https://openalex.org/W4313549777","https://openalex.org/W4385884967","https://openalex.org/W4388624604","https://openalex.org/W4388826738","https://openalex.org/W4393256647"],"related_works":[],"abstract_inverted_index":{"Most":[0],"current":[1,224],"code":[2,29,49,63,89,128],"vulnerability":[3,110],"detection":[4,76,170,193],"tools":[5,77,204,225],"provide":[6,206,226,235],"only":[7],"a":[8,54,94,143,192],"binary":[9],"classification":[10],"(vulnerable/non-vulnerable)":[11],"with":[12,102,132,157],"little":[13],"to":[14,45,59,70,79,165,190,215],"no":[15],"additional":[16],"context.":[17],"This":[18],"paper":[19],"explores":[20],"the":[21,35,40,81,135,151,198,220],"impact":[22,82],"of":[23,37,42,74,83,96,105,134,138],"providing":[24],"explanations":[25,38,84,176],"for":[26,145,182],"vulnerabilities":[27,129],"alongside":[28],"labelled":[30,48,90],"as":[31,50,91],"vulnerable.":[32],"We":[33,65],"investigate":[34],"influence":[36],"on":[39,85],"ability":[41],"software":[43,68],"practitioners":[44,69,121,141],"confirm":[46],"such":[47,61],"actually":[51],"vulnerable":[52,62,92,107],"(i.e.,":[53],"true":[55],"positive":[56],"vulnerability)":[57],"and":[58,78,116,126,154,172,179,185,202,209,229],"fix":[60],"correctly.":[64],"surveyed":[66],"99":[67],"establish":[71],"their":[72,86,180,216],"use":[73],"code-vulnerability":[75],"evaluate":[80],"behaviour":[87],"towards":[88],"in":[93,169,197,219,232],"series":[95],"coding":[97],"exercises.":[98],"Participants":[99],"were":[100,177],"presented":[101,131],"four":[103,136],"forms":[104,137],"explanation:":[106],"lines":[108],",":[109,112,115],"type":[111],"short-form":[113,158],"text":[114,118,147,159],"long-form":[117,146],".":[119],"Software":[120],"performed":[122],"better":[123],"at":[124],"confirming":[125],"fixing":[127,155],"when":[130],"any":[133,227],"explanation.":[139],"Although":[140],"stated":[142],"preference":[144],"explanations,":[148,228],"they":[149],"achieved":[150],"highest":[152],"confirmation":[153],"performance":[156,186],"explanations.":[160,237],"Practitioners":[161],"also":[162],"indicated":[163],"willingness":[164],"accept":[166],"modest":[167],"drops":[168],"precision":[171],"recall":[173],"if":[174],"richer":[175],"provided,":[178],"preferences":[181],"explanation":[183,212],"types":[184,213],"trade-offs":[187],"varied":[188],"according":[189],"where":[191],"tool":[194],"is":[195],"used":[196],"software-development":[199],"pipeline.":[200],"Vulnerability-detection":[201],"prediction":[203],"should":[205],"explanatory":[207],"output":[208],"allow":[210],"different":[211],"tailored":[214],"deployment":[217],"stage":[218],"development":[221],"workflow.":[222],"Few":[223],"none":[230],"identified":[231],"this":[233],"study":[234],"text-based":[236]},"counts_by_year":[],"updated_date":"2026-03-26T06:05:38.182114","created_date":"2026-03-04T00:00:00"}