{"id":"https://openalex.org/W2766411424","doi":"https://doi.org/10.1145/3133956.3134072","title":"A Large-Scale Empirical Study of Security Patches","display_name":"A Large-Scale Empirical Study of Security Patches","publication_year":2017,"publication_date":"2017-10-27","ids":{"openalex":"https://openalex.org/W2766411424","doi":"https://doi.org/10.1145/3133956.3134072","mag":"2766411424"},"language":"en","primary_location":{"id":"doi:10.1145/3133956.3134072","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3133956.3134072","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5050884723","display_name":"Frank Li","orcid":"https://orcid.org/0000-0003-2242-048X"},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Frank Li","raw_affiliation_strings":["University of California, Berkeley, Berkeley, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley, Berkeley, CA, USA","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5002219113","display_name":"Vern Paxson","orcid":"https://orcid.org/0009-0005-2673-543X"},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Vern Paxson","raw_affiliation_strings":["University of California, Berkeley, Berkeley, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley, Berkeley, CA, USA","institution_ids":["https://openalex.org/I95457486"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5050884723"],"corresponding_institution_ids":["https://openalex.org/I95457486"],"apc_list":null,"apc_paid":null,"fwci":31.36,"has_fulltext":false,"cited_by_count":227,"citation_normalized_percentile":{"value":0.99647615,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"2201","last_page":"2215"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7220719456672668},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6428775191307068},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5783354043960571},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5634236931800842},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5295295119285583},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.5109521746635437},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.5053759217262268},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4839373230934143},{"id":"https://openalex.org/keywords/scale","display_name":"Scale (ratio)","score":0.47464117407798767},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.43724191188812256},{"id":"https://openalex.org/keywords/empirical-research","display_name":"Empirical research","score":0.434938907623291},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.43214693665504456},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.422667533159256},{"id":"https://openalex.org/keywords/software-development-process","display_name":"Software development process","score":0.4121393859386444},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.3796359896659851},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.3779953122138977},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.3777742385864258},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.26957547664642334},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.23058593273162842},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.14023101329803467},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.09195637702941895}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7220719456672668},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6428775191307068},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5783354043960571},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5634236931800842},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5295295119285583},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.5109521746635437},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.5053759217262268},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4839373230934143},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.47464117407798767},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.43724191188812256},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.434938907623291},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.43214693665504456},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.422667533159256},{"id":"https://openalex.org/C180152950","wikidata":"https://www.wikidata.org/wiki/Q2904257","display_name":"Software development process","level":4,"score":0.4121393859386444},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.3796359896659851},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3779953122138977},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3777742385864258},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.26957547664642334},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.23058593273162842},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.14023101329803467},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.09195637702941895},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3133956.3134072","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3133956.3134072","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Responsible consumption and production","id":"https://metadata.un.org/sdg/12","score":0.5600000023841858}],"awards":[{"id":"https://openalex.org/G4781708020","display_name":null,"funder_award_id":"CNS-1518921","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W172316423","https://openalex.org/W1490011260","https://openalex.org/W1964962870","https://openalex.org/W2004584049","https://openalex.org/W2028513599","https://openalex.org/W2069268700","https://openalex.org/W2072684419","https://openalex.org/W2091543666","https://openalex.org/W2104000753","https://openalex.org/W2112736324","https://openalex.org/W2149398387","https://openalex.org/W2154183829","https://openalex.org/W2157353183","https://openalex.org/W2168234580","https://openalex.org/W2404969801","https://openalex.org/W2505207162","https://openalex.org/W2515891506","https://openalex.org/W2547695167","https://openalex.org/W2618635610","https://openalex.org/W2902381500","https://openalex.org/W4235354960","https://openalex.org/W4244051999","https://openalex.org/W4244536841","https://openalex.org/W4299301436","https://openalex.org/W6681679627"],"related_works":["https://openalex.org/W2155353733","https://openalex.org/W2062583373","https://openalex.org/W3189065608","https://openalex.org/W1566131087","https://openalex.org/W2126513753","https://openalex.org/W896362041","https://openalex.org/W4240401768","https://openalex.org/W2018644264","https://openalex.org/W4313307479","https://openalex.org/W3163146719"],"abstract_inverted_index":{"Given":[0],"how":[1],"the":[2,19,24,31,36,96,128,136,147,153,166,179],"\"patching":[3],"treadmill\"":[4],"plays":[5],"a":[6,63,82,140,144],"central":[7],"role":[8],"for":[9,54,76],"enabling":[10],"sites":[11],"to":[12,22,155,173],"counter":[13],"emergent":[14],"security":[15,20,39,68,112,169],"concerns,":[16],"it":[17],"behooves":[18],"community":[21],"understand":[23],"patch":[25,40,129,150],"development":[26,41,130],"process":[27],"and":[28,51,109,152,160,186],"characteristics":[29],"of":[30,35,38,45,67,85,118,124,127,138,149,168,181,184],"resulting":[32],"fixes.":[33,113,162],"Illumination":[34],"nature":[37,167],"can":[42],"inform":[43],"us":[44],"shortcomings":[46],"in":[47,171],"existing":[48],"remediation":[49],"processes":[50],"provide":[52],"insights":[53],"improving":[55],"current":[56],"practices.":[57],"In":[58],"this":[59,115],"work":[60],"we":[61,93,120],"conduct":[62,121],"large-scale":[64],"empirical":[65],"study":[66],"patches,":[69],"investigating":[70],"more":[71],"than":[72],"4,000":[73],"bug":[74,176],"fixes":[75,170],"over":[77],"3,000":[78],"vulnerabilities":[79],"that":[80],"affected":[81,106],"diverse":[83,116],"set":[84,117],"682":[86],"open-source":[87],"software":[88,107],"projects.":[89],"For":[90],"our":[91],"analysis":[92,123],"draw":[94],"upon":[95],"National":[97],"Vulnerability":[98],"Database,":[99],"information":[100],"scraped":[101],"from":[102],"relevant":[103],"external":[104],"references,":[105],"repositories,":[108],"their":[110,187],"associated":[111],"Leveraging":[114],"information,":[119],"an":[122],"various":[125],"aspects":[126],"life":[131],"cycle,":[132],"including":[133],"investigation":[134],"into":[135],"duration":[137],"impact":[139,188],"vulnerability":[141],"has":[142],"on":[143,189],"code":[145,190],"base,":[146],"timeliness":[148],"development,":[151],"degree":[154],"which":[156],"developers":[157],"produce":[158],"safe":[159],"reliable":[161],"We":[163],"then":[164],"characterize":[165],"comparison":[172],"other":[174],"non-security":[175],"fixes,":[177],"exploring":[178],"complexity":[180],"different":[182],"types":[183],"patches":[185],"bases.":[191]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":25},{"year":2024,"cited_by_count":34},{"year":2023,"cited_by_count":35},{"year":2022,"cited_by_count":31},{"year":2021,"cited_by_count":39},{"year":2020,"cited_by_count":32},{"year":2019,"cited_by_count":20},{"year":2018,"cited_by_count":10}],"updated_date":"2026-04-05T17:49:38.594831","created_date":"2025-10-10T00:00:00"}