Demystifying the Mysteries of Security Vulnerability Discussions on Developer Q&A Sites

Detection and mitigation of Security Vulnerabilities (SVs) are integral tasks in software development and maintenance. Software developers often explore developer Question and Answer (Q&A) websites to find solutions for securing their software. However, there is empirically little known about the on-going SV-related discussions and how the Q&A sites are supporting such discussions. To demystify such mysteries, we conduct large-scale qualitative and quantitative experiments to study the characteristics of 67,864 SV-related posts on Stack Overflow (SO) and Security StackExchange (SSE). We first find that the existing SV categorization of formal security sources is not frequently used on Q&A sites. Therefore, we use Latent Dirichlet Allocation topic modeling to extract a new taxonomy of thirteen SV discussion topics on Q&A sites. We then study the characteristics of such SV topics. Brute-force/Timing Attacks and Vulnerability Testing are found the most popular and difficult topics, respectively. We discover that despite having higher user expertise than other domains, the difficult SV topics do not gain as much attention from experienced users as the more popular ones. Seven types of answers to SV-related questions are also identified on Q&A sites, in which SO usually gives instructions and code, while SSE provides more explanations and/or experience-based advice. Our findings can help practitioners and researchers to utilize Q&A sites more effectively to learn and share SV knowledge