An Empirical Study of Security-Policy Related Issues in Open Source Projects

GitHub recommends that projects adopt a SECURITY.md file that outlines vulnerability reporting procedures. However, the effectiveness and operational challenges of such files are not yet fully understood. This study aims to clarify the challenges that SECURITY.md files face in the vulnerability reporting process within open-source communities. Specifically, we classified and analyzed the content of 711 randomly sampled issues related to SECURITY.md. We also conducted a quantitative comparative analysis of the close time and number of responses for issues concerning six community health files, including SECURITY.md. Our analysis revealed that 79.5% of SECURITY.md-related issues were requests to add the file, and reports that included links were closed, with a median time that was 2 days shorter. These findings offer practical insights for improving security reporting policies and community management, ultimately contributing to a more secure open-source ecosystem.