Vulnerability Patching Across Software Products and Software Components: A Case Study of Red Hat's Product Portfolio

Abstract

Motivated by software maintenance and the more recent concept of security debt, the paper presents a time series analysis of vulnerability patching of Red Hat's products and components between 1999 and 2024. According to the results based on segmented regression analysis, the amounts of vulnerable products and components have not been stable; a linear trend describes many of the series well. Nor do the amounts align well with trends characterizing vulnerabilities in general. There are also visible breakpoints indicating that the linear trend is not universally applicable and that the growing security debt may be stabilizing.

Categories