A Theory of Open Source Security: The Spillover of Security Knowledge in Vulnerability Disclosures Through Software Supply Chains
53 Pages Posted: 7 Jun 2023
Date Written: June 7, 2023
Abstract
Open source software (OSS) is critical to digital sovereignty and is required for the modern digital economy. Despite being widely used and highly valued, OSS is not free from security defects. Recent discoveries of critical vulnerabilities in OSS, such as “Log4Shell” and “Heartbleed,” underscore the importance of, and lack of theories about, open source security. Drawing on organizational learning theory and viewing OSS from the perspective of software supply chains, this study offers a novel theoretical perspective into positive knowledge spillover of vulnerability disclosures in the OSS ecosystem. This occurs when an OSS project (that is, a supplier) discloses a software vulnerability. The security knowledge will be transferred through software supply chains to downstream OSS projects (i.e., consumers), enabling the latter group to better identify new vulnerabilities with similar technical weaknesses in their own code repositories. We further theorized that the severity of the supplier’s vulnerability moderates knowledge spillover, where a critical vulnerability, as compared to a noncritical one, yields a much higher spillover that induces interorganizational learning. To validate our theoretical predictions, we conducted a comprehensive analysis using data assembled from the National Vulnerability Database, Libraries.io, and Google’s open source vulnerabilities database. We discovered compelling empirical evidence supporting both the proposed knowledge spillover effect and the moderating relationship. Acknowledging the existence of various causal pathways that may contribute to the observed knowledge spillovers, we analyzed potential mechanisms and showed that our theory (i.e., organizational learning from vulnerability disclosures through software supply chains) was a more plausible and salient mechanism relative to the alternatives.
Keywords: open source security, open source software, software supply chain, software dependency, software vulnerability, information security, security incident, organizational learning, digital sovereignty
Suggested Citation: Suggested Citation