Do Bugs Foreshadow Vulnerabilities?: An In-depth Study of the Chromium Project

Authors: Felivel Camilo Andrew Meneely Meiyappan Nagappan

Venue: EMSE   Empirical Software Engineering, Vol. 22, No. 3, pp. 1305-1347, 2016

Year: 2016

Abstract: As developers face an ever-increasing pressure to engineer secure software, researchers are building an understanding of security-sensitive bugs (i.e. vulnerabilities). Research into mining software repositories has greatly increased our understanding of software quality via empirical study of bugs. Conceptually, however, vulnerabilities differ from bugs: they represent an abuse of functionality as opposed to insufficient functionality commonly associated with traditional, non-security bugs. We performed an in-depth analysis of the Chromium project to empirically examine the relationship between bugs and vulnerabilities. We mined 374,686 bugs and 703 post-release vulnerabilities over five Chromium releases that span six years of development. We used logistic regression analysis, ranking analysis, bug type classifications, developer experience, and vulnerability severity metrics to examine the overarching question: are bugs and vulnerabilities in the same files? While we found statistically significant correlations between pre-release bugs and post-release vulnerabilities, we found the association to be weak. Number of features, source lines of code, and pre-release security bugs are, in general, more closely associated with post-release vulnerabilities than any of our non-security bug categories. In further analysis, we examined sub-types of bugs, such as stability-related bugs, and the associations did not improve. Even the files with the most severe vulnerabilities (by measure of CVSS or bounty payouts) did not show strong correlations with number of bugs. These results indicate that bugs and vulnerabilities are empirically dissimilar groups, motivating the need for security engineering research to target vulnerabilities specifically.

Preprint: PDF


    author = "Felivel Camilo and Andrew Meneely and Meiyappan Nagappan",
    title = "Do Bugs Foreshadow Vulnerabilities?: An In-depth Study of the Chromium Project",
    year = "2016",
    pages = "1305-1347",
    journal = "Empirical Software Engineering",
    volume = "22",
    number = "3"

Plain Text:

Felivel Camilo, Andrew Meneely, and Meiyappan Nagappan, "Do Bugs Foreshadow Vulnerabilities?: An In-depth Study of the Chromium Project," Empirical Software Engineering, pp. 1305-1347