%0 Conference Paper %B Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on %D 2010 %T Towards a bayesian approach in modeling the disclosure of unique security faults in open source projects %A Anbalagan, Prasanth %A Vouk, Mladen %K security %X Software security has both an objective and a subjective component. A lot of the information available about that today is focused on security vulnerabilities and their disclosure. It is less frequent that security breaches and failures rates are reported, even in open source projects. Disclosure of security problems can take several forms. A disclosure can be accompanied by a release of the fix for the problem, or not. The latter category can be further divided into ”voluntary” and ”involuntary” security issues. In widely used software there is also considerable variability in the operational profile under which the software is used. This profile is further modified by attacks on the software that may be triggered by security disclosures. Therefore a comprehensive model of software security qualities of a product needs to incorporate both objective measures, such as security problem disclosure, repair and, failure rates, as well as less objective metrics such as implied variability in the operational profile, influence of attacks, and subjective impressions of exposure and severity of the problems, etc. We show how a classical Bayesian model can be adapted for use in the security context. The model is discussed and assessed using data from three open source software project releases. Our results show that the model is suitable for use with a certain subset of disclosed security faults, but that additional work will be needed to identify appropriate shape and scaling functions that would accurately reflect end-user perceptions associated with security problems. %B Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on %I IEEE %P 101–110 %U http://ai2-s2-pdfs.s3.amazonaws.com/edcf/0b13ae1e6317c7e31f6b8783f669b978ffb3.pdf %> https://flosshub.org/sites/flosshub.org/files/0b13ae1e6317c7e31f6b8783f669b978ffb3.pdf %0 Conference Paper %B 2009 6th IEEE International Working Conference on Mining Software Repositories (MSR)2009 6th IEEE International Working Conference on Mining Software Repositories %D 2009 %T On mining data across software repositories %A Anbalagan, Prasanth %A Vouk, Mladen %K bug reports %K bugzilla %K Fedora %K Firefox %K htmlscraper %K integration %K launchpad %K national vulnerability database %K RedHat %K Suse %K tracker %K Ubuntu %X Software repositories provide abundance of valuable information about open source projects. With the increase in the size of the data maintained by the repositories, automated extraction of such data from individual repositories, as well as of linked information across repositories, has become a necessity. In this paper we describe a framework that uses web scraping to automatically mine repositories and link information across repositories. We discuss two implementations of the framework. In the first implementation, we automatically identify and collect security problem reports from project repositories that deploy the Bugzilla bug tracker using related vulnerability information from the National Vulnerability Database. In the second, we collect security problem reports for projects that deploy the Launchpad bug tracker along with related vulnerability information from the National Vulnerability Database. We have evaluated our tool on various releases of Fedora, Ubuntu, Suse, RedHat, and Firefox projects. The percentage of security bugs identified using our tool is consistent with that reported by other researchers. %B 2009 6th IEEE International Working Conference on Mining Software Repositories (MSR)2009 6th IEEE International Working Conference on Mining Software Repositories %I IEEE %C Vancouver, BC, Canada %P 171 - 174 %@ 978-1-4244-3493-0 %R 10.1109/MSR.2009.5069498 %> https://flosshub.org/sites/flosshub.org/files/171MiningAcrossmsr09.pdf