Beyond CVEs

Simion, M.

Beyond CVEs

An Analysis of Untracked Software Vulnerabilities Disclosed in Public Issue Trackers

Master thesis (2024)

Authors

M. Simion Technology, Policy and Management

Contributors

Yury Zhauniarovich Organisation & Governance - (mentor)

M. J.G. Eeten Organisation & Governance - (coach)

Sepinoud Azimi Information and Communication Technology - (graduation committee member)

Faculty

Technology, Policy and Management, Technology, Policy and Management

Transformer BERT Cybersecurity Vulnerabilities Issue Tracker CVE Exploit Coordinated Vulnerability Disclosure

To reference this document use:

http://resolver.tudelft.nl/uuid:53549547-1338-4bed-826a-afd2d261f55a

More Info

expand_more

Published Date

15-07-2024

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

In the modern digital age, software vulnerabilities pose significant threats to security and privacy. These vulnerabilities are weaknesses in software products that can be exploited for malicious purposes. To manage and coordinate information about these vulnerabilities, the Common Vulnerabilities and Exposures (CVE) system is widely used. Although a lot of research has been done on coordinated CVEs, there is less focus on vulnerabilities that did not receive a CVE number. This research aims to estimate the number of vulnerabilities in open-source projects that do not receive CVE identification numbers and are consequently overlooked by the community. The focus of the research is on quantifying the prevalence of security issues in the issue tracker of GitHub projects, examining these security issues to find hidden CVEs and determining their severity based on the CVSS 3.1 scoring methodology. The methods used for the research are data extraction and analysis, transformer-based models for the classification of security issues, and expert validation for CVE identification and severity scoring. The findings of the research reveal crucial insights into the scale and nature of security threats in open-source software. The DeBERTaV3 model fine-tuned on the Chromium dataset demonstrated good performance metrics for the task of classifying security issues, achieving an f1 score of 0.9 with threshold modification. The case-study application of the model on the gRPC project demonstrated that in the issue tracker, 2.4\% of issues have been predicted as being security issues, out of which 52 were validated as CVEs with an average severity score CVSS 3.1 score of 5.3, compared to 11 CVEs attributed to the gRPC project on NVD. These findings suggest a need for revising current practices in vulnerability reporting and management in open-source projects, potentially influencing future security protocols and policies. The results of the study serve as information for the decision-making process of improving the coordinated vulnerability disclosure process in open-source software. An initial intervention suggestion is provided to induce behavior change and incentivize discoverers to disclose sensitive vulnerability information in private communication channels. Future work on understanding the motivations of discoverers to post such sensitive information in public trackers is required to create well-informed and effective policies for coordinated vulnerability disclosure.

Files

Master_Thesis_Madalin_Simion_5... (pdf)

Unknown license

File under embargo until 31-07-2025