{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T08:07:31Z","timestamp":1768378051235,"version":"3.49.0"},"reference-count":21,"publisher":"Wiley","issue":"10","license":[{"start":{"date-parts":[[2021,9,2]],"date-time":"2021-09-02T00:00:00Z","timestamp":1630540800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/onlinelibrary.wiley.com\/termsAndConditions#vor"}],"funder":[{"DOI":"10.13039\/501100018592","name":"\u201c333 Project\u201d of Jiangsu Province","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100018592","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No. 61872312"],"award-info":[{"award-number":["No. 61872312"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No. 61972335"],"award-info":[{"award-number":["No. 61972335"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No. 62002309"],"award-info":[{"award-number":["No. 62002309"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100010014","name":"Six Talent Peaks Project in Jiangsu Province","doi-asserted-by":"publisher","award":["No. RJFW\u2010053"],"award-info":[{"award-number":["No. RJFW\u2010053"]}],"id":[{"id":"10.13039\/501100010014","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["onlinelibrary.wiley.com"],"crossmark-restriction":true},"short-container-title":["J Software Evolu Process"],"published-print":{"date-parts":[[2021,10]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Security bugs can catastrophically impact our increasingly digital lives. Designing effective tools for detecting and fixing software security bugs requires a deep understanding of security bug characteristics. In this paper, we conducted a comprehensive study on security bugs and proposed the classification criteria for security bug category, that is, root cause, consequence, and location. In addition, we selected 1076 bug reports from five projects (i.e., Apache Tomcat, Apache HTTP Server, Mozilla Firefox, Linux Kernel, and Eclipse) in the NVD for investigation. Finally, we investigated the correlation between the classification results and obtained some findings: (1) memory operation is the most common security bug; (2) the primary root causes of security bugs are CON (Configuration Error), INP (Input Validation Error), and MEM (Memory Error); (3) the severity of more than 40% of security bugs is high; (4) security bugs caused by INP mainly occur on web; and (5) security bugs caused by LOG (Logic Resource Error) usually lead to DoS (Denial of Service). We discussed these findings through data analysis, which can also help developers better understand the characteristics of security bugs.<\/jats:p>","DOI":"10.1002\/smr.2376","type":"journal-article","created":{"date-parts":[[2021,9,3]],"date-time":"2021-09-03T04:17:55Z","timestamp":1630642675000},"update-policy":"https:\/\/doi.org\/10.1002\/crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["A comprehensive study on security bug characteristics"],"prefix":"10.1002","volume":"33","author":[{"given":"Ying","family":"Wei","sequence":"first","affiliation":[{"name":"School of Information Engineering Yangzhou University  Yangzhou China"}]},{"given":"Xiaobing","family":"Sun","sequence":"additional","affiliation":[{"name":"School of Information Engineering Yangzhou University  Yangzhou China"},{"name":"State Key Laboratory for Novel Software Technology Nanjing University  Nanjing China"}]},{"given":"Lili","family":"Bo","sequence":"additional","affiliation":[{"name":"School of Information Engineering Yangzhou University  Yangzhou China"},{"name":"State Key Laboratory for Novel Software Technology Nanjing University  Nanjing China"},{"name":"Key Laboratory of Safety\u2010Critical Software Ministry of Industry and Information Technology Nanjing University of Aeronautics and Astronautics  Nanjing China"}]},{"given":"Sicong","family":"Cao","sequence":"additional","affiliation":[{"name":"School of Information Engineering Yangzhou University  Yangzhou China"}]},{"given":"Xin","family":"Xia","sequence":"additional","affiliation":[{"name":"Faculty of Information Technology Monash University  Melbourne Australia"}]},{"given":"Bin","family":"Li","sequence":"additional","affiliation":[{"name":"School of Information Engineering Yangzhou University  Yangzhou China"}]}],"member":"311","published-online":{"date-parts":[[2021,9,2]]},"reference":[{"key":"e_1_2_14_2_1","doi-asserted-by":"publisher","DOI":"10.1037\/1082-989X.1.2.150"},{"key":"e_1_2_14_3_1","doi-asserted-by":"crossref","unstructured":"PiantadosiV ScalabrinoS&OlivetoRFixing of Security Vulnerabilities in Open Source Projects: A Case Study of Apache HTTP Server and Apache Tomcat. In: 12th IEEE Conference on Software Testing Validation and Verification ICST 2019 Xi'an China April 22\u201027 2019. IEEE; 2019: 68\u201078","DOI":"10.1109\/ICST.2019.00017"},{"key":"e_1_2_14_4_1","doi-asserted-by":"publisher","DOI":"10.1177\/001316446002000104"},{"key":"e_1_2_14_5_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.stamet.2010.05.003"},{"key":"e_1_2_14_6_1","doi-asserted-by":"publisher","DOI":"10.2307\/2529310"},{"key":"e_1_2_14_7_1","doi-asserted-by":"crossref","unstructured":"LiX ChangX BoardJA&TrivediKSA novel approach for software vulnerability classification. In: 2017 Annual Reliability and Maintainability Symposium (RAMS). IEEE. ; 2017: 1\u20107.","DOI":"10.1109\/RAM.2017.7889792"},{"key":"e_1_2_14_8_1","doi-asserted-by":"crossref","unstructured":"SharmaC&JainSCAnalysis and classification of SQL injection vulnerabilities and attacks on web applications. In: International Conference on Advances in Engineering Technology Research (ICAETR \u2010 2014); 2014: 1\u20106","DOI":"10.1109\/ICAETR.2014.7012815"},{"key":"e_1_2_14_9_1","doi-asserted-by":"crossref","unstructured":"XuZ.Source Code and Binary Level Vulnerability Detection and Hot Patching. In: IEEE; 2020: 1397\u20101399.","DOI":"10.1145\/3324884.3418914"},{"key":"e_1_2_14_10_1","unstructured":"WeilerNHoneypots for Distributed Denial of Service Attacks. In: IEEE Computer Society; 2002: 109\u2010114"},{"key":"e_1_2_14_11_1","doi-asserted-by":"crossref","unstructured":"XuJ NingP KilC ZhaiY&BookholtCAutomatic diagnosis and response to memory corruption vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security CCS 2005 Alexandria VA USA November 7\u201011 2005. ACM; 2005: 223\u2010234","DOI":"10.1145\/1102120.1102151"},{"key":"e_1_2_14_12_1","doi-asserted-by":"crossref","unstructured":"ShindePS&ArdhapurkarSBCyber security analysis using vulnerability assessment and penetration testing. In: 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (Startup Conclave); 2016: 1\u20105","DOI":"10.1109\/STARTUP.2016.7583912"},{"key":"e_1_2_14_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9258-8"},{"key":"e_1_2_14_14_1","unstructured":"AyanamVSSoftware Security Vulnerability Vs. Software Coupling: A Study with Empirical Evidence. PhD thesis. Southern Polytechnic State University 2009."},{"key":"e_1_2_14_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-018-9665-y"},{"key":"e_1_2_14_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.03.002"},{"key":"e_1_2_14_17_1","doi-asserted-by":"crossref","unstructured":"ZamanS AdamsB&HassanAESecurity versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories. 2011: 93\u2010102.","DOI":"10.1145\/1985441.1985457"},{"key":"e_1_2_14_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-017-9459-5"},{"key":"e_1_2_14_19_1","unstructured":"AlhazmiOH WooS&MalaiyaYKSecurity vulnerability categories in major software systems. In: Proceedings of the Third IASTED International Conference on Communication Network and Information Security October 9\u201011 2006 Cambridge MA USA. IASTED\/ACTA Press; 2006: 138\u2010143."},{"key":"e_1_2_14_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083209"},{"key":"e_1_2_14_21_1","doi-asserted-by":"crossref","unstructured":"LowisL&AccorsiROn a classification approach for SOA vulnerabilities. In:. 2 of 2009 33rd Annual IEEE International Computer Software and Applications Conference. IEEE; 2009: 439\u2010444.","DOI":"10.1109\/COMPSAC.2009.173"},{"key":"e_1_2_14_22_1","unstructured":"PiessensF.A taxonomy of causes of software vulnerabilities in Internet software. In: Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering. Citeseer; 2002: 47\u201352."}],"container-title":["Journal of Software: Evolution and Process"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/smr.2376","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/full-xml\/10.1002\/smr.2376","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/smr.2376","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,8,29]],"date-time":"2023-08-29T03:01:15Z","timestamp":1693278075000},"score":1,"resource":{"primary":{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/10.1002\/smr.2376"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,2]]},"references-count":21,"journal-issue":{"issue":"10","published-print":{"date-parts":[[2021,10]]}},"alternative-id":["10.1002\/smr.2376"],"URL":"https:\/\/doi.org\/10.1002\/smr.2376","archive":["Portico"],"relation":{},"ISSN":["2047-7473","2047-7481"],"issn-type":[{"value":"2047-7473","type":"print"},{"value":"2047-7481","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,2]]},"assertion":[{"value":"2020-12-31","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-08-04","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-09-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"e2376"}}