An Empirical Study of Security Requirements in Planning Bug Fixes for an Open Source Software Project

it is often difficult to estimate the resources needed to plan for bug fixing activities in software development projects. Security bug fixes are commonly implemented as patches in response to emergent common vulnerability and exposure (CVE) reports. In this paper we investigate how to plan for bug fixing, and whether security related bug fixes are different from other bugs. In a preprocessing step, we classify security and nonsecurity bugs by using a definition of security requirements to elicit the keywords such as 'protection', 'assets' and 'malicious attackers', and by ranking their frequency of occurrences in the bug descriptions. We then create two release-planning inputs: one about the entire bug fixing activities, and another about bug fixes related to security requirements only. The results of the release plans are compared, with the bug fixing events recorded in the software repositories. Through a Samba case study, we show that it is possible to fix more high-priority bugs within limited given resource, and that bugs related to security requirements are materially different from other kinds of bugs. KeywordsSecurity Requirements; Release Planning; Bug fixes; Empirical study; Open-Source Software;