The paper examines the handling times of software vulnerabilities in CPython, the reference implementation and interpreter for the today's likely most popular programming language, Python. The background comes from the so-called vulnerability life cycle analysis, the literature on bug fixing times, and the recent research on security of Python software. Based on regression analysis, the associated vulnerability fixing times can be explained very well merely by knowing who have reported the vulnerabilities. Severity, proof-of-concept code, commits made to a version control system, comments posted on a bug tracker, and references to other sources do not explain the vulnerability fixing times. With these results, the paper contributes to the recent effort to better understand security of the Python ecosystem.

翻译：本文研究了CPython（当今最流行编程语言Python的参考实现与解释器）中软件漏洞的处理时间。研究背景源于所谓的漏洞生命周期分析、关于缺陷修复时间的文献，以及近期关于Python软件安全性的研究。基于回归分析发现，仅通过了解漏洞报告者的身份即可很好地解释相关漏洞修复时间。漏洞严重程度、概念验证代码、提交至版本控制系统的修改、缺陷跟踪系统中的评论以及外部引用均无法解释漏洞修复时间的差异。通过这些研究结果，本文为近期深入理解Python生态系统安全性的努力提供了新的见解。