Coordination is one central tenet of software engineering practices and processes. In terms of software vulnerabilities, coordination is particularly evident in the processes used for obtaining Common Vulnerabilities and Exposures (CVEs) identifiers for discovered and disclosed vulnerabilities. As the central CVE tracking infrastructure maintained by the non-profit MITRE Corporation has recently been criticized for time delays in CVE assignment, almost an ideal case is available for studying software and security engineering coordination practices with practical relevance. Given this practical motivation, this paper examines open source CVE coordination that occurs on the public oss-security mailing list. By combining social network analysis with a data-driven research approach, the paper asks seven data mining questions with practical relevance. By contemplating about answers to the questions asked by means of descriptive statistics, the paper consequently contributes not only to the contemporary practical debates, but also to the tradition of empirical vulnerability research. The perspective and the case are both novel in this tradition.
Jukka Ruohonen, Sampsa Rauti, Sami Hyrynsalmi, Ville Leppänen (University of Turku): Mining social networks of open source CVE coordination