Academic researchers (arXiv v2: February 2025) · 2024 (arXiv v2: February 2025)
Mixed-methods study surveying and interviewing OSS maintainers listed in the GitHub Advisory Database. Identifies 37 aspects of vulnerability management, with supply chain mistrust and lack of automation as the most challenging.
Why read: The strongest available evidence on maintainer-reported barriers to security tool adoption — academic, peer-reviewed, and directly relevant to understanding why comprehensive CI gates are not adopted despite tool availability.
Sonatype's 10th annual report confirms 94.9% of vulnerable components have a fix available, 13% of Log4j downloads remain vulnerable three years post-disclosure, and remediation times have grown from 25 to 400+ days.
Why read: Provides the behavioral evidence (13% vulnerable Log4j downloads after 3 years) that demonstrates structural barriers persist over time — essential for evaluating the 'security fatigue' concept.
Stephen Hendrick, Ashwin Ramaswami (The Linux Foundation); Foreword by Stephen Augustus, Cisco
Linux Foundation research report surveying OSS maintainer perspectives on software security, covering practices, challenges, and expectations across the open source community.
Why read: Authoritative Linux Foundation survey of maintainer security perspectives — complements the academic mixed-methods study with broader institutional backing and potentially larger sample.