Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We?

by   Arthur D. Sawadogo, et al.

Bug reports are common artefacts in software development. They serve as the main channel for users to communicate to developers information about the issues that they encounter when using released versions of software programs. In the descriptions of issues, however, a user may, intentionally or not, expose a vulnerability. In a typical maintenance scenario, such security-relevant bug reports are prioritised by the development team when preparing corrective patches. Nevertheless, when security relevance is not immediately expressed (e.g., via a tag) or rapidly identified by triaging teams, the open security-relevant bug report can become a critical leak of sensitive information that attackers can leverage to perform zero-day attacks. To support practitioners in triaging bug reports, the research community has proposed a number of approaches for the detection of security-relevant bug reports. In recent years, approaches in this respect based on machine learning have been reported with promising performance. Our work focuses on such approaches, and revisits their building blocks to provide a comprehensive view on the current achievements. To that end, we built a large experimental dataset and performed extensive experiments with variations in feature sets and learning algorithms. Eventually, our study highlights different approach configurations that yield best performing classifiers.


page 1

page 8

page 9


Better Security Bug Report Classification via Hyperparameter Optimization

When security bugs are detected, they should be (a) discussed privately ...

Developer Load Normalization Using Iterative Kuhn-Munkres Algorithm: An Optimization Triaging Approach

Bug triage can be defined as the process of assigning a developer to a b...

An Exploratory Study on Regression Vulnerabilities

Background: Security regressions are vulnerabilities introduced in a pre...

A "Final" Security Bug

This article discusses a fixed critical security bug in Google Tink's Ed...

Cupid: Leveraging ChatGPT for More Accurate Duplicate Bug Report Detection

Duplicate bug report detection (DBRD) is a long-standing challenge in bo...

Evaluating Software User Feedback Classifiers on Unseen Apps, Datasets, and Metadata

Listening to user's requirements is crucial to building and maintaining ...

BugListener: Identifying and Synthesizing Bug Reports from Collaborative Live Chats

In community-based software development, developers frequently rely on l...

Please sign up or login with your details

Forgot password? Click here to reset