Academic researchers (affiliations in paper) · February 2025
Mixed-methods study surveying and interviewing OSS maintainers, identifying 37 aspects of vulnerability management challenges; supply chain mistrust and lack of automation were the most challenging.
Why read: The strongest evidence source for documented barriers to security tooling adoption in OSS; peer-reviewed academic study with direct maintainer testimony.
Reports 91% SAST false positive rate on public GitHub repos and discusses false-positive reduction techniques.
Why read: Provides the most specific data on SAST false-positive rates in the OSS context, despite vendor provenance; useful for quantifying the alert fatigue problem.