Vulnerabilities and Patches of Open Source Software: An Empirical Study

Software selection is an important consideration in managing the information security function. Open source software is touted by proponents as being robust to many of the security problems that seem to plague proprietary software. This study empirically investigates specific security characteristics of open source and proprietary operating system software. Software vulnerability data spanning several years are collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release patches, type of vulnerability reported and respective severity of the vulnerabilities. The results demonstrate that open source and proprietary operating system software are each likely to report similar vulnerabilities and that open source providers are only marginally quicker in releasing patches for problems identified in their software. The arguments favoring the inherent security of open source software do not appear to hold up to such analysis. These findings provide guidance to security managers to focus on holistic software security management, irrespective of the proprietary-nature of the underlying software.