Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.

翻译：复用第三方库能提升开发效率并节省时间与成本，但此类库中存在的漏洞可能导致灾难性后果。例如Apache Log4J曾被曝存在远程代码执行漏洞，导致超过35,000个软件包被迫更新至最新版本。尽管已有若干研究致力于预测软件漏洞，但现有预测方法尚未覆盖第三方库中的漏洞。即使开发者预知潜在风险，重新实现类似库功能也将耗费大量时间与人力。然而，当软件供应商发布无漏洞版本时，开发者及时更新第三方库（及其依赖项）是切实可行的解决方案。本研究通过人工调查方法，聚焦漏洞披露后软件供应商与开发者社区的实际应对措施（群体反应）。我们手动分析了312个CVE条目，发现漏洞处理的主要趋势是在发布公告前提供修复补丁；若公告时尚未提供修复方案，开发者平均需等待10天才能获得补丁。此外，群体反应并未明显受漏洞严重程度影响。特别值得注意的是，甲骨文社区在发布修复补丁方面最为活跃高效，其软件开发者也积极参与相关漏洞公告的讨论。