A Theory of Open Source Security: The Spillover of Security Knowledge in Vulnerability Disclosures Through Software Supply Chains

Lin, Yu-Kai; Li, Weifeng

doi:10.2139/ssrn.4472516

Download This Paper

Open PDF in Browser

Add Paper to My Library

A Theory of Open Source Security: The Spillover of Security Knowledge in Vulnerability Disclosures Through Software Supply Chains

53 Pages Posted: 7 Jun 2023

See all articles by Yu-Kai Lin

Yu-Kai Lin

Georgia State University - J. Mack Robinson College of Business

Weifeng Li

University of Georgia

Date Written: June 7, 2023

Abstract

Open source software (OSS) is critical to digital sovereignty and is required for the modern digital economy. Despite being widely used and highly valued, OSS is not free from security defects. Recent discoveries of critical vulnerabilities in OSS, such as “Log4Shell” and “Heartbleed,” underscore the importance of, and lack of theories about, open source security. Drawing on organizational learning theory and viewing OSS from the perspective of software supply chains, this study offers a novel theoretical perspective into positive knowledge spillover of vulnerability disclosures in the OSS ecosystem. This occurs when an OSS project (that is, a supplier) discloses a software vulnerability. The security knowledge will be transferred through software supply chains to downstream OSS projects (i.e., consumers), enabling the latter group to better identify new vulnerabilities with similar technical weaknesses in their own code repositories. We further theorized that the severity of the supplier’s vulnerability moderates knowledge spillover, where a critical vulnerability, as compared to a noncritical one, yields a much higher spillover that induces interorganizational learning. To validate our theoretical predictions, we conducted a comprehensive analysis using data assembled from the National Vulnerability Database, Libraries.io, and Google’s open source vulnerabilities database. We discovered compelling empirical evidence supporting both the proposed knowledge spillover effect and the moderating relationship. Acknowledging the existence of various causal pathways that may contribute to the observed knowledge spillovers, we analyzed potential mechanisms and showed that our theory (i.e., organizational learning from vulnerability disclosures through software supply chains) was a more plausible and salient mechanism relative to the alternatives.

Keywords: open source security, open source software, software supply chain, software dependency, software vulnerability, information security, security incident, organizational learning, digital sovereignty

Suggested Citation: Suggested Citation

Lin, Yu-Kai and Li, Weifeng, A Theory of Open Source Security: The Spillover of Security Knowledge in Vulnerability Disclosures Through Software Supply Chains (June 7, 2023). Available at SSRN: https://ssrn.com/abstract=4472516 or http://dx.doi.org/10.2139/ssrn.4472516