{"id":"https://openalex.org/W4385080312","doi":"https://doi.org/10.1109/sp46215.2023.10179378","title":"\"Always Contribute Back\": A Qualitative Study on Security Challenges of the Open Source Supply Chain","display_name":"\"Always Contribute Back\": A Qualitative Study on Security Challenges of the Open Source Supply Chain","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385080312","doi":"https://doi.org/10.1109/sp46215.2023.10179378"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179378","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179378","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/_Always_Contribute_Back_A_Qualitative_Study_on_Security_Challenges_of_the_Open_Source_Supply_Chain/24614688","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5004650891","display_name":"Dominik Wermke","orcid":"https://orcid.org/0009-0008-2921-1254"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Dominik Wermke","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","CISPA Helmholtz Center for Information Security, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037107748","display_name":"Jan H. Klemmer","orcid":"https://orcid.org/0000-0002-6994-7206"},"institutions":[{"id":"https://openalex.org/I114112103","display_name":"Leibniz University Hannover","ror":"https://ror.org/0304hq317","country_code":"DE","type":"education","lineage":["https://openalex.org/I114112103"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Jan H. Klemmer","raw_affiliation_strings":["Leibniz University Hannover,Germany","Leibniz University Hannover, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Leibniz University Hannover,Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"Leibniz University Hannover, Germany","institution_ids":["https://openalex.org/I114112103"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047899337","display_name":"Noah W\u00f6hler","orcid":"https://orcid.org/0000-0002-4172-9565"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Noah W\u00f6hler","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","CISPA Helmholtz Center for Information Security, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5066736892","display_name":"Juliane Schm\u00fcser","orcid":"https://orcid.org/0000-0001-7830-6403"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Juliane Schm\u00fcser","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","CISPA Helmholtz Center for Information Security, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074142826","display_name":"Harshini Sri Ramulu","orcid":"https://orcid.org/0000-0002-0000-5843"},"institutions":[{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Harshini Sri Ramulu","raw_affiliation_strings":["Paderborn University,Germany","Paderborn University, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Paderborn University,Germany","institution_ids":["https://openalex.org/I206945453"]},{"raw_affiliation_string":"Paderborn University, Germany","institution_ids":["https://openalex.org/I206945453"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074668699","display_name":"Yasemin Acar","orcid":"https://orcid.org/0000-0001-7167-7383"},"institutions":[{"id":"https://openalex.org/I193531525","display_name":"George Washington University","ror":"https://ror.org/00y4zzh67","country_code":"US","type":"education","lineage":["https://openalex.org/I193531525"]},{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]}],"countries":["DE","US"],"is_corresponding":false,"raw_author_name":"Yasemin Acar","raw_affiliation_strings":["Paderborn University,Germany","George Washington University, United States","Paderborn University, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Paderborn University,Germany","institution_ids":["https://openalex.org/I206945453"]},{"raw_affiliation_string":"George Washington University, United States","institution_ids":["https://openalex.org/I193531525"]},{"raw_affiliation_string":"Paderborn University, Germany","institution_ids":["https://openalex.org/I206945453"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087356408","display_name":"Sascha Fahl","orcid":"https://orcid.org/0000-0002-5644-3316"},"institutions":[{"id":"https://openalex.org/I114112103","display_name":"Leibniz University Hannover","ror":"https://ror.org/0304hq317","country_code":"DE","type":"education","lineage":["https://openalex.org/I114112103"]},{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sascha Fahl","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","Leibniz University Hannover, Germany","CISPA Helmholtz Center for Information Security, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"Leibniz University Hannover, Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":4.6641,"has_fulltext":false,"cited_by_count":18,"citation_normalized_percentile":{"value":0.9556673,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1545","last_page":"1560"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9908999800682068,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9789000153541565,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.7465356588363647},{"id":"https://openalex.org/keywords/open-source","display_name":"Open source","score":0.7455525398254395},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5262550115585327},{"id":"https://openalex.org/keywords/open-source-software","display_name":"Open source software","score":0.4120878577232361},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.37435638904571533},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.3476601839065552},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.16597506403923035},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.1289714276790619},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.11147668957710266}],"concepts":[{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.7465356588363647},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.7455525398254395},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5262550115585327},{"id":"https://openalex.org/C2988343187","wikidata":"https://www.wikidata.org/wiki/Q1130645","display_name":"Open source software","level":3,"score":0.4120878577232361},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.37435638904571533},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3476601839065552},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.16597506403923035},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.1289714276790619},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.11147668957710266}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/sp46215.2023.10179378","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179378","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24614688","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/_Always_Contribute_Back_A_Qualitative_Study_on_Security_Challenges_of_the_Open_Source_Supply_Chain/24614688","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24614688.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24614688.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24614688","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/_Always_Contribute_Back_A_Qualitative_Study_on_Security_Challenges_of_the_Open_Source_Supply_Chain/24614688","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":72,"referenced_works":["https://openalex.org/W205609712","https://openalex.org/W409344806","https://openalex.org/W606806371","https://openalex.org/W1001914638","https://openalex.org/W1568647190","https://openalex.org/W1767339332","https://openalex.org/W1947959002","https://openalex.org/W1967042038","https://openalex.org/W2047794235","https://openalex.org/W2078410218","https://openalex.org/W2099794586","https://openalex.org/W2101678831","https://openalex.org/W2121513440","https://openalex.org/W2122595236","https://openalex.org/W2286924183","https://openalex.org/W2292723020","https://openalex.org/W2506490502","https://openalex.org/W2511044583","https://openalex.org/W2588952840","https://openalex.org/W2605067380","https://openalex.org/W2618014206","https://openalex.org/W2733373979","https://openalex.org/W2740279154","https://openalex.org/W2772118528","https://openalex.org/W2796056969","https://openalex.org/W2889097348","https://openalex.org/W2896375752","https://openalex.org/W2899036005","https://openalex.org/W2899324080","https://openalex.org/W2941123418","https://openalex.org/W2945486631","https://openalex.org/W2963748706","https://openalex.org/W2971660263","https://openalex.org/W2986678597","https://openalex.org/W2989443621","https://openalex.org/W3017863658","https://openalex.org/W3028407954","https://openalex.org/W3031471692","https://openalex.org/W3040158574","https://openalex.org/W3046453918","https://openalex.org/W3085848379","https://openalex.org/W3088691441","https://openalex.org/W3094949573","https://openalex.org/W3104664309","https://openalex.org/W3121596715","https://openalex.org/W3124376160","https://openalex.org/W3159300567","https://openalex.org/W3162867182","https://openalex.org/W4220682629","https://openalex.org/W4221145571","https://openalex.org/W4251915282","https://openalex.org/W4288057734","https://openalex.org/W4288057810","https://openalex.org/W4293153805","https://openalex.org/W4300165808","https://openalex.org/W4308562555","https://openalex.org/W4312439220","https://openalex.org/W4312875384","https://openalex.org/W4384948741","https://openalex.org/W4385208592","https://openalex.org/W6603356336","https://openalex.org/W6628602181","https://openalex.org/W6713166798","https://openalex.org/W6715480035","https://openalex.org/W6742102062","https://openalex.org/W6743880665","https://openalex.org/W6748952102","https://openalex.org/W6753950056","https://openalex.org/W6754285855","https://openalex.org/W6759246942","https://openalex.org/W6766054592","https://openalex.org/W6794922378"],"related_works":["https://openalex.org/W4376877853","https://openalex.org/W1493891899","https://openalex.org/W4250928611","https://openalex.org/W166480398","https://openalex.org/W1612808768","https://openalex.org/W167327709","https://openalex.org/W1977393088","https://openalex.org/W4387839566","https://openalex.org/W4210922265","https://openalex.org/W2288962794"],"abstract_inverted_index":{"Open":[0],"source":[1,26,108,114,174,187],"components":[2,14,49,115],"are":[3,213],"ubiquitous":[4],"in":[5,78,102,120],"companies\u2019":[6],"setups,":[7],"processes,":[8,98],"and":[9,36,59,68,72,89,100,144,171,195,202,212],"software.":[10],"Utilizing":[11],"these":[12,48],"external":[13,79,106,142],"as":[15,189],"building":[16],"blocks":[17],"enables":[18],"companies":[19,54,181],"to":[20,30,70,156,180,182,197],"leverage":[21],"the":[22,74,103,172,185,200,205],"benefits":[23],"of":[24,40,76,105,122,132,204],"open":[25,107,113,173,186],"software,":[27],"allowing":[28],"them":[29],"focus":[31],"their":[32,42,51,96],"efforts":[33],"on":[34,162],"features":[35],"faster":[37],"delivery":[38],"instead":[39,196],"writing":[41],"own":[43],"components.":[44,160],"But":[45],"by":[46],"introducing":[47],"into":[50],"software":[52,86,175,207],"stack,":[53],"inherit":[55],"unique":[56],"security":[57,203],"challenges":[58],"attack":[60],"surfaces:":[61],"including":[62,141],"code":[63],"from":[64,91,211],"potentially":[65],"unvetted":[66],"contributors":[67],"obligations":[69],"assess":[71],"mitigate":[73],"impact":[75],"vulnerabilities":[77],"components.In":[80],"25":[81],"in-depth,":[82],"semi-structured":[83],"interviews":[84],"with":[85],"developers,":[87],"architects,":[88],"engineers":[90],"industry":[92],"projects,":[93,125],"we":[94,165,178],"investigate":[95],"projects\u2019":[97],"decisions,":[99],"considerations":[101],"context":[104],"code.":[109],"We":[110],"find":[111],"that":[112,126,145],"play":[116],"an":[117],"important":[118],"role":[119],"many":[121,146],"our":[123,163],"participants\u2019":[124],"most":[127],"projects":[128],"have":[129],"some":[130],"form":[131],"company":[133,169],"policy":[134],"or":[135,154],"at":[136],"least":[137],"best":[138],"practice":[139],"for":[140,149,168],"code,":[143],"developers":[147],"wish":[148],"more":[150],"developer-hours,":[151],"dedicated":[152],"teams,":[153],"tools":[155],"better":[157],"audit":[158],"included":[159],"Based":[161],"findings,":[164],"discuss":[166],"implications":[167],"stakeholders":[170],"ecosystem.":[176],"Overall,":[177],"appeal":[179],"not":[183],"treat":[184],"ecosystem":[188,208],"a":[190],"free":[191],"(software)":[192],"supply":[193],"chain":[194],"contribute":[198],"towards":[199],"health":[201],"overall":[206],"they":[209],"benefit":[210],"part":[214],"of.":[215]},"counts_by_year":[{"year":2025,"cited_by_count":6},{"year":2024,"cited_by_count":7},{"year":2023,"cited_by_count":5}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}