{"id":"https://openalex.org/W3093633035","doi":"https://doi.org/10.1145/3406112","title":"The Tip of the Iceberg","display_name":"The Tip of the Iceberg","publication_year":2020,"publication_date":"2020-09-28","ids":{"openalex":"https://openalex.org/W3093633035","doi":"https://doi.org/10.1145/3406112","mag":"3093633035"},"language":"en","primary_location":{"id":"doi:10.1145/3406112","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3406112","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103083515","display_name":"\u039d\u03b9\u03ba\u03cc\u03bb\u03b1\u03bf\u03c2 \u0391\u03bb\u03b5\u03be\u03cc\u03c0\u03bf\u03c5\u03bb\u03bf\u03c2","orcid":"https://orcid.org/0000-0001-8383-4761"},"institutions":[{"id":"https://openalex.org/I31512782","display_name":"Technical University of Darmstadt","ror":"https://ror.org/05n911h24","country_code":"DE","type":"education","lineage":["https://openalex.org/I31512782"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Nikolaos Alexopoulos","raw_affiliation_strings":["Technical University of Darmstadt, Germany"],"affiliations":[{"raw_affiliation_string":"Technical University of Darmstadt, Germany","institution_ids":["https://openalex.org/I31512782"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5046993870","display_name":"Sheikh Mahbub Habib","orcid":"https://orcid.org/0000-0003-1183-4310"},"institutions":[{"id":"https://openalex.org/I147869694","display_name":"Continental (Germany)","ror":"https://ror.org/0359s0245","country_code":"DE","type":"company","lineage":["https://openalex.org/I147869694"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sheikh Mahbub Habib","raw_affiliation_strings":["Continental AG, Germany"],"affiliations":[{"raw_affiliation_string":"Continental AG, Germany","institution_ids":["https://openalex.org/I147869694"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5109052111","display_name":"Steffen Schulz","orcid":null},"institutions":[{"id":"https://openalex.org/I4210094487","display_name":"Intel (Germany)","ror":"https://ror.org/00m2x0g47","country_code":"DE","type":"company","lineage":["https://openalex.org/I1343180700","https://openalex.org/I4210094487"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Steffen Schulz","raw_affiliation_strings":["Intel Labs, Germany"],"affiliations":[{"raw_affiliation_string":"Intel Labs, Germany","institution_ids":["https://openalex.org/I4210094487"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5021712397","display_name":"Max M\u00fchlh\u00e4user","orcid":"https://orcid.org/0000-0003-4713-5327"},"institutions":[{"id":"https://openalex.org/I31512782","display_name":"Technical University of Darmstadt","ror":"https://ror.org/05n911h24","country_code":"DE","type":"education","lineage":["https://openalex.org/I31512782"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Max M\u00fchlh\u00e4user","raw_affiliation_strings":["Technical University of Darmstadt, Germany"],"affiliations":[{"raw_affiliation_string":"Technical University of Darmstadt, Germany","institution_ids":["https://openalex.org/I31512782"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5103083515"],"corresponding_institution_ids":["https://openalex.org/I31512782"],"apc_list":null,"apc_paid":null,"fwci":0.2669,"has_fulltext":false,"cited_by_count":4,"citation_normalized_percentile":{"value":0.65877786,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":"24","issue":"1","first_page":"1","last_page":"33"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7258424162864685},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6797287464141846},{"id":"https://openalex.org/keywords/intuition","display_name":"Intuition","score":0.5781751275062561},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5485894083976746},{"id":"https://openalex.org/keywords/publication","display_name":"Publication","score":0.5306949615478516},{"id":"https://openalex.org/keywords/iceberg","display_name":"Iceberg","score":0.5188294649124146},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5128260254859924},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4593949019908905},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4581751525402069},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.42509520053863525},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.3614693284034729},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.10397028923034668},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.09158802032470703},{"id":"https://openalex.org/keywords/geography","display_name":"Geography","score":0.07963895797729492},{"id":"https://openalex.org/keywords/law","display_name":"Law","score":0.07155591249465942}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7258424162864685},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6797287464141846},{"id":"https://openalex.org/C132010649","wikidata":"https://www.wikidata.org/wiki/Q189222","display_name":"Intuition","level":2,"score":0.5781751275062561},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5485894083976746},{"id":"https://openalex.org/C41458344","wikidata":"https://www.wikidata.org/wiki/Q732577","display_name":"Publication","level":2,"score":0.5306949615478516},{"id":"https://openalex.org/C12481700","wikidata":"https://www.wikidata.org/wiki/Q47568","display_name":"Iceberg","level":3,"score":0.5188294649124146},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5128260254859924},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4593949019908905},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4581751525402069},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.42509520053863525},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3614693284034729},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.10397028923034668},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.09158802032470703},{"id":"https://openalex.org/C205649164","wikidata":"https://www.wikidata.org/wiki/Q1071","display_name":"Geography","level":0,"score":0.07963895797729492},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.07155591249465942},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C136894858","wikidata":"https://www.wikidata.org/wiki/Q213926","display_name":"Sea ice","level":2,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C153294291","wikidata":"https://www.wikidata.org/wiki/Q25261","display_name":"Meteorology","level":1,"score":0.0},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3406112","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3406112","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},{"id":"pmh:oai:tubiblio.ulb.tu-darmstadt.de:123207","is_oa":false,"landing_page_url":"http://tubiblio.ulb.tu-darmstadt.de/123207/","pdf_url":null,"source":{"id":"https://openalex.org/S4377196390","display_name":"TUbilio (Technical University of Darmstadt)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I31512782","host_organization_name":"Technische Universit\u00e4t Darmstadt","host_organization_lineage":["https://openalex.org/I31512782"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Artikel"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.5600000023841858}],"awards":[],"funders":[{"id":"https://openalex.org/F4320321114","display_name":"Bundesministerium f\u00fcr Bildung und Forschung","ror":"https://ror.org/04pz7b180"},{"id":"https://openalex.org/F4320321961","display_name":"Hessisches Ministerium f\u00fcr Wissenschaft und Kunst","ror":"https://ror.org/00zd5gr55"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":41,"referenced_works":["https://openalex.org/W172316423","https://openalex.org/W1490011260","https://openalex.org/W1545144661","https://openalex.org/W1685057348","https://openalex.org/W1845951405","https://openalex.org/W1878544538","https://openalex.org/W1979931683","https://openalex.org/W2000042664","https://openalex.org/W2021348304","https://openalex.org/W2028486686","https://openalex.org/W2045749853","https://openalex.org/W2062706277","https://openalex.org/W2065890363","https://openalex.org/W2069268700","https://openalex.org/W2077836579","https://openalex.org/W2088856850","https://openalex.org/W2093973026","https://openalex.org/W2104556041","https://openalex.org/W2109156518","https://openalex.org/W2114712239","https://openalex.org/W2149764216","https://openalex.org/W2159682002","https://openalex.org/W2163593802","https://openalex.org/W2165004968","https://openalex.org/W2168234580","https://openalex.org/W2186815972","https://openalex.org/W2513442265","https://openalex.org/W2533698187","https://openalex.org/W2574017551","https://openalex.org/W2654868256","https://openalex.org/W2752912380","https://openalex.org/W2753308995","https://openalex.org/W2766411424","https://openalex.org/W2766615649","https://openalex.org/W2774698839","https://openalex.org/W2888940240","https://openalex.org/W2965588382","https://openalex.org/W3102446060","https://openalex.org/W3103362336","https://openalex.org/W4243272515","https://openalex.org/W4246553962"],"related_works":["https://openalex.org/W2141388993","https://openalex.org/W1978034799","https://openalex.org/W2999607548","https://openalex.org/W2956597637","https://openalex.org/W2044639210","https://openalex.org/W2293245356","https://openalex.org/W4225160120","https://openalex.org/W23486959","https://openalex.org/W1588942021","https://openalex.org/W1981466760"],"abstract_inverted_index":{"In":[0],"this":[1,22,124],"article,":[2],"we":[3,46,143,150,189],"investigate":[4],"a":[5,25,134,147],"fundamental":[6],"question":[7,23],"regarding":[8],"software":[9,34,58],"security:":[10],"Is":[11],"the":[12,29,37,52,68,77,100,111,119,126,130,197],"security":[13],"of":[14,28,32,55,70,79,102,113,116,121,137,185],"SW":[15],"releases":[16],"increasing":[17],"over":[18,60],"time?":[19],"We":[20,163],"approach":[21],"with":[24,99],"detailed":[26],"analysis":[27,177,184,209],"large":[30],"body":[31],"open-source":[33],"packaged":[35],"in":[36,63,203],"popular":[38,64,154],"Debian":[39,166],"GNU/Linux":[40],"distribution.":[41],"Contrary":[42],"to":[43,75,97,179],"common":[44],"intuition,":[45],"find":[47],"no":[48],"clear":[49],"evidence":[50],"that":[51,132,152],"vulnerability":[53,198,208],"rate":[54,78],"widely":[56],"used":[57],"decreases":[59],"time:":[61],"Even":[62],"and":[65,91,104,176,182,201,210],"\u201cstable\u201d":[66],"releases,":[67],"fixing":[69],"bugs":[71],"does":[72],"not":[73,95,145],"seem":[74,96],"reduce":[76],"newly":[80],"identified":[81],"vulnerabilities.":[82,117],"The":[83],"intuitive":[84],"conclusion":[85],"is":[86,125],"worrisome:":[87],"Commonly":[88],"employed":[89],"development":[90],"validation":[92],"procedures":[93],"do":[94],"scale":[98],"increase":[101],"features":[103],"complexity\u2014they":[105],"are":[106],"only":[107],"chopping":[108],"pieces":[109],"off":[110],"top":[112],"an":[114,172],"iceberg":[115],"To":[118],"best":[120],"our":[122,161,165,186,191],"knowledge,":[123],"first":[127],"investigation":[128],"into":[129,196],"problem":[131],"studies":[133],"complete":[135],"distribution":[136],"software,":[138],"spanning":[139],"multiple":[140],"versions.":[141],"Although":[142],"can":[144],"give":[146],"definitive":[148],"answer,":[149],"show":[151],"several":[153],"beliefs":[155],"also":[156],"cannot":[157],"be":[158],"confirmed":[159],"given":[160],"dataset.":[162],"publish":[164],"Vulnerability":[167],"Analysis":[168],"Framework":[169],"(DVAF)":[170],",":[171],"automated":[173],"dataset":[174],"creation":[175],"process,":[178],"enable":[180],"reproduction":[181],"further":[183],"results.":[187],"Overall,":[188],"hope":[190],"contributions":[192],"provide":[193],"important":[194],"insights":[195],"discovery":[199],"process":[200],"help":[202],"identifying":[204],"effective":[205],"techniques":[206],"for":[207],"prevention.":[211]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2021,"cited_by_count":1}],"updated_date":"2026-02-26T08:16:20.718346","created_date":"2020-10-29T00:00:00"}