A Large-scale Study of Security Vulnerability Support on Developer Q&A Websites

Context: Developers usually seek solutions to addressing Security Vulnerabilities (SVs) on developer Question and Answer (Q&A) websites. However, there is still little known about these SV-specific discussions on different Q&A sites. Objective: We present a large-scale empirical study to understand developers' SV discussions and how these discussions are being supported by Q&A sites. Method: We use topic modeling to uncover the topics of 71,329 curated SV posts from two large Q&A sites, namely Stack Overflow (SO) and Security StackExchange (SSE). We then analyze the popularity, difficulty, and level of expertise for each topic. We also perform a qualitative analysis to identify the types of solutions to SV-related questions. Results: We identify 13 main SV discussion topics. Many topics do not follow the distributions and trends in expert-based security sources, e.g., Common Weakness Enumeration (CWE) and Open Web Application Security Project (OWASP). We also discover that SV discussions attract more experts to answer than many other domains, but some difficult SV topics (e.g., Vulnerability Scanning Tools) still receive quite limited support from experts. Moreover, we identify seven key types of answers given to SV questions, in which SO often provides code and instructions, while SSE usually gives experience-based advice and explanations. Conclusion: Our findings provide support for researchers and practitioners to effectively acquire, share and leverage SV knowledge on Q&A sites.