Managing Complex Software Vulnerabilities: An Empirical Analysis of Open-Source Operating Systems


  • Jean-Loup Richet IAE Paris - Sorbonne Business School, Université Paris 1 Panthéon-Sorbonne
  • Wafa Bouaynaya IAE d'Amiens/LEFMI, Université de Picardie Jules Verne


Complexity, Open-Source Operating Systems, Vulnerability Management


There is a growing gap between practitioners and researchers: existing scholarly research on software vulnerabilities is not able to adequately guide developers to effectively managing their vulnerabilities in the context of ‘software as amalgam’ and open source. Our case replies to practitioners’ call for more research on vulnerability management with a case of effective vulnerability management in the context of an open-source operating systems (OSOS). Hence, our paper sets out to bridge this gap with practice and discuss this overlooked concern in academic literature:  how do organizations effectively manage their vulnerabilities? We provide an empirical contribution with an extreme case of vulnerability management in a large OSOS (Debian). Our research uncovers behavioral dynamics and practices that foster responsiveness and adaption in vulnerability management, highlighting its complexity and dynamics.


Aberdour M. (2007), “Achieving quality in open-source software”, IEEE Software, IEEE, vol. 24, n°1, pp. 58–64.

Arora A., Forman C., Nandkumar A. & Telang R. (2010), “Competition and patching of security vulnerabilities: An empirical analysis”, Information Economics and Policy, Elsevier, vol. 22, n°2, pp. 164–177.

Arora A., Krishnan R., Telang R. & Yang Y. (2010), “An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure”, Information Systems Research, INFORMS, vol. 21, n°1, pp. 115–132.

Arora A., Nandkumar A. & Telang R. (2006), “Does information security attack frequency increase with vulnerability disclosure? An empirical analysis”, Information Systems Frontiers, Springer, vol. 8, n°5, pp. 350–362.

Aslam T. (1995), A Taxonomy Of Security Faults In The Unix Operating System, MITRE.

Au Y. A., Carpenter D., Chen X. & Clark J. G. (2009), “Virtual organizational learning in open source software development projects”, Information & Management, Elsevier, vol. 46, n°1, pp. 9–15.

Benkeltoum N. (2013), “Évaluation de l’innovation des logiciels open source”, Systèmes d’information & management, ESKA, Paris, vol. 18, n°3, pp. 37–84.

Benkeltoum N. (2016), “Adoption de l’open source pour la conception de systèmes d’information critiques : le cas Thales”, Systèmes d’information & management, ESKA, Paris, vol. 21, n°4, pp. 71–98.

Capra E., Francalanci C. & Merlo F. (2008), “An empirical study on the relationship between software design quality, development effort and governance in open source projects”, IEEE Transactions on Software Engineering, IEEE, vol. 34, n°6, pp. 765–782.

Cavusoglu H., Cavusoglu H. & Zhang J. (2008), “Security patch management: Share the burden or share the damage?”, Management Science, INFORMS, vol. 54, n°4, pp. 657–670.

Cheruy C., Robert F. & Belbaly N. (2017), “OSS popularity: Understanding the relationship between user-developer interaction, market potential and development stage”, Systèmes d’information & management, ESKA, Paris, vol. 22, n°3, pp. 47–74.

Chiva‐Gómez R. (2003), “The facilitating factors for organizational learning: bringing ideas from complex adaptive systems”, Knowledge and Process Management, Wiley Online Library, vol. 10, n°2, pp. 99–114.

Creswell J. W., Plano Clark V. L., Gutmann M. L. & Hanson W. E. (2003), “An expanded typology for classifying mixed methods research into designs”, A. Tashakkori y C. Teddlie, Handbook of Mixed Methods in Social and Behavioral Research, pp. 209–240.

De Laat P. B. (2007), “Governance of open source software: state of the art”, Journal of Management & Governance, Springer, vol. 11, n°2, pp. 165–177.

Di Tullio D. & Staples D. S. (2013), “The governance and control of open source software projects”, Journal of Management Information Systems, Taylor & Francis, vol. 30, n°3, pp. 49–80.

Dinh-Trong T. T. & Bieman J. M. (2005), “The FreeBSD project: A replication case study of open source development”, IEEE Transactions on Software Engineering, IEEE, vol. 31, n°6, pp. 481–494.

Fachkha C. & Debbabi M. (2016), “Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization.”, IEEE Communications Surveys and Tutorials, vol. 18, n°2, pp. 1197–1227.

Fenton N. & Bieman J. (2019), Software metrics: a rigorous and practical approach, CRC press.

Fenz S. & Ekelhart A. (2009), “Formalizing information security knowledge”, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 183–194.

Fisher J. A. (2012), “Secure my data or pay the price: Consumer remedy for the negligent enablement of data breach”, Wm. & Mary Bus. L. Rev., HeinOnline, vol. 4, p. 215.

Fitzgerald B. (2006), “The transformation of open source software”, MIS Quarterly, JSTOR, pp. 587–598.

Gillies A. (2011), “Improving the quality of information security management systems with ISO27000”, The TQM Journal, Emerald Group Publishing Limited.

Glaser B. G. & Strauss A. L. (2017), Discovery of grounded theory: strategies for qualitative research, Routledge.

Janakiraman R., Lim J. H. & Rishika R. (2018), “The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer”, Journal of Marketing, vol. 82, n°2, pp. 85–105.

Kannan K. & Telang R. (2005), “Market for software vulnerabilities? Think again”, Management Science, INFORMS, vol. 51, n°5, pp. 726–740.

Koch R., Golling M. & Rodosek G. D. (2014), “A Revised Attack Taxonomy for a New Generation of Smart Attacks”, Computer and Information Science, vol. 7, n°3, p. 18.

Li P. & Rao H. R. (2007), “An examination of private intermediaries’ roles in software vulnerabilities disclosure”, Information Systems Frontiers, Springer, vol. 9, n°5, pp. 531–539.

Lin C. & Li Y. (2014), “Rate-Based Queueing Simulation Model of Open Source Software Debugging Activities”, IEEE Transactions on Software Engineering, vol. 40, n°11, pp. 1075–1099.

MacCormack A., Rusnak J. & Baldwin C. Y. (2006), “Exploring the Structure of Complex Software Designs: An Empirical Study of Open Source and Proprietary Code”, Management Science, INFORMS, vol. 52, n°7, pp. 1015–1030.

Malhotra A. & Kubowicz Malhotra C. (2011), “Evaluating customer information breaches as service failures: An event study approach”, Journal of Service Research, SAGE Publications Sage CA: Los Angeles, CA, vol. 14, n°1, pp. 44–59.

Martin K. D., Borah A. & Palmatier R. W. (2017), “Data privacy: Effects on customer and firm performance”, Journal of Marketing, vol. 81, n°1, pp. 36–58.

Mateos-Garcia J. & Steinmueller W. E. (2008), “The institutions of open source software: Examining the Debian community”, Empirical Issues in Open Source Software, vol. 20, n°4, pp. 333–344.

Meneely A. & Williams L. (2009), “Secure open source collaboration: an empirical study of linus’ law”, Proceedings of the 16th ACM Conference on Computer and Communications Security, Association for Computing Machinery, New York, NY, USA, pp. 453–462.

Midha V. & Bhattacherjee A. (2012), “Governance practices and software maintenance: A study of open source projects”, Decision Support Systems, vol. 54, n°1, pp. 23–32.

Mondada L. (2019), “Contemporary issues in conversation analysis: Embodiment and materiality, multimodality and multisensoriality in social interaction”, Quo Vadis, Pragmatics?, vol. 145, pp. 47–62.

Nan N. & Kumar S. (2013), “Joint Effect of Team Structure and Software Architecture in Open Source Software Development”, IEEE Transactions on Engineering Management, vol. 60, n°3, pp. 592–603.

O’mahony S. & Ferraro F. (2007), “The emergence of governance in an open source community”, Academy of Management Journal, vol. 50, n°5, pp. 1079–1106.

Payne C. (2002), “On the security of open source software”, Information Systems Journal, John Wiley & Sons, Ltd, vol. 12, n°1, pp. 61–78.

Prout A., Arcand W., Bestor D., Bergeron B., Byun C., V. Gadepally, M. Houle, et al. (2018), “Measuring the Impact of Spectre and Meltdown”, 2018 IEEE High Performance Extreme Computing Conference (HPEC), presented at the 2018 IEEE High Performance extreme Computing Conference (HPEC), pp. 1–5.

Ransbotham S., Mitra S. & Ramsey J. (2012), “Are markets for vulnerabilities effective?”, Mis Quarterly, JSTOR, pp. 43–64.

Rashid M., Clarke P. M. & O’Connor R. V. (2019), “A systematic examination of knowledge loss in open source software projects”, International Journal of Information Management, vol. 46, pp. 104–123.

Rerup C. & Feldman M. S. (2011), “Routines as a source of change in organizational schemata: The role of trial-and-error learning”, Academy of Management Journal, Academy of Management Briarcliff Manor, NY, vol. 54, n°3, pp. 577–610.

Rescorla E. (2005), “Is finding security holes a good idea?”, IEEE Security & Privacy, IEEE, vol. 3, n°1, pp. 14–19.

Schryen G. (2011), “Is open source security a myth?”, Communications of the ACM, ACM New York, NY, USA, vol. 54, n°5, pp. 130–140.

Schryen G. & Kadura R. (2009), “Open source vs. closed source software: towards measuring security”, Proceedings of the 2009 ACM Symposium on Applied Computing, pp. 2016–2023.

Sen R. & Borle S. (2015), “Estimating the contextual risk of data breach: An empirical approach”, Journal of Management Information Systems, Taylor & Francis, vol. 32, n°2, pp. 314–341.

Sen R. & Heim G. R. (2016), “Managing enterprise risks of technological systems: An exploratory empirical analysis of vulnerability characteristics as drivers of exploit publication”, Decision Sciences, Wiley Online Library, vol. 47, n°6, pp. 1073–1102.

Sessa V. I. & London M. (2015), Continuous learning in organizations: individual, group, and organizational perspectives, Psychology Press.

Shaikh M. & Henfridsson O. (2017), “Governing open source software through coordination processes”, Information and Organization, Elsevier, vol. 27, n°2, pp. 116–135.

Sharma R. & Singh R. (2019), “Vulnerability discovery in open-and closed-source software: a new paradigm”, Software Engineering, Springer, pp. 533–539.

Shin Y., Meneely A., Williams L. & Osborne J. A. (2010), “Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities”, IEEE Transactions on Software Engineering, IEEE, vol. 37, n°6, pp. 772–787.

Siggelkow N. (2007), “Persuasion with case studies”, Academy of Management Journal, Academy of Management Briarcliff Manor, NY 10510, vol. 50, n°1, pp. 20–24.

Singh V., Sharma M. & Pham H. (2017), “Entropy based software reliability analysis of multi-version open source software”, IEEE Transactions on Software Engineering, IEEE, vol. 44, n°12, pp. 1207–1223.

Stewart K. J. & Gosain S. (2006), “The impact of ideology on effectiveness in open source software development teams”, Mis Quarterly, JSTOR, pp. 291–314.

Syed R. (2020), “Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system”, Information & Management, Elsevier, vol. 57, n°6, p. 103334.

Teddlie C. & Tashakkori A. (2011), “Mixed methods research”, The Sage Handbook of Qualitative Research, Sage Thousand Oaks, CA, vol. 4, pp. 285–300.

Telang R. & Wattal S. (2007), “An empirical analysis of the impact of software vulnerability announcements on firm stock price”, IEEE Transactions on Software Engineering, IEEE, vol. 33, n°8, pp. 544–557.

Temizkan O. & Kumar R. L. (2015), “Exploitation and Exploration Networks in Open Source Software Development: An Artifact-Level Analysis”, Journal of Management Information Systems, Routledge, vol. 32, n°1, pp. 116–150.

Temizkan O., Kumar R. L., Park S. & Subramaniam C. (2012), “Patch release behaviors of software vendors in response to vulnerabilities: An empirical analysis”, Journal of Management Information Systems, Taylor & Francis, vol. 28, n°4, pp. 305–338.

Tille A. (2007), “Custom Debian Distributions”, Website, Http://People. Debian. Org/~ Tille/Debian-Med/Talks/Paper-Cdd/Debian-Cdd. En. Pdf.

Tsipenyuk K., Chess B. & McGraw G. (2005), “Seven pernicious kingdoms: A taxonomy of software security errors”, IEEE Security & Privacy, vol. 3, n°6, pp. 81–84.

Urquhart C., Lehmann H. & Myers M. D. (2010), “Putting the ‘theory’ back into grounded theory: guidelines for grounded theory studies in information systems”, Information Systems Journal, John Wiley & Sons, Ltd, vol. 20, n°4, pp. 357–381.

Venkatesh V., Brown S. A. & Bala H. (2013), “Bridging the Qualitative-Quantitative Divide: Guidelines for Conducting Mixed Methods Research in Information Systems”, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 37, n°1, pp. 21–54.

Zhao M., Laszka A. & Grossklags J. (2017), “Devising effective policies for bug-bounty platforms and security vulnerability discovery”, Journal of Information Policy, Pennsylvania State University Press, vol. 7, n°1, pp. 372–418.



How to Cite

Richet, J.-L., & Bouaynaya, W. (2023). Managing Complex Software Vulnerabilities: An Empirical Analysis of Open-Source Operating Systems. Systèmes d’Information Et Management (French Journal of Management Information Systems), 28(1). Retrieved from



Empirical research