During software development, balancing security and non security issues is challenging. We focus on security awareness and approaches taken by non-security experts using software development issue trackers when considering security. We first analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring. Then, we investigate through a small scale user study what criteria developers take when prioritising issues, in particular observing their attitudes to security. We find projects make reference to CVSS summaries (Common Vulnerability Scoring System), often alongside CVE reports (Common Vulnerabilities and Exposures), but issue trackers do not often have interfaces designed for this. Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS. Detailed explanations and advice were seen as helpful in making security decisions. This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.

翻译：软件开发过程中，平衡安全与非安全问题具有挑战性。本文聚焦于非安全专家在使用软件问题跟踪系统时对安全问题的认知及处理策略。首先分析主流问题跟踪系统的界面设计，探究其如何支持安全沟通及整合安全评分机制。继而通过小规模用户研究，调查开发者优先处理问题的决策标准，特别关注他们对安全问题的态度。研究发现：项目常引用CVSS（通用漏洞评分系统）摘要及CVE（通用漏洞披露）报告，但问题跟踪系统普遍缺乏针对此类信息的界面设计。实验参与者虽能进行与CVSS兼容的推理分析，但对CVSS评估体系的运用仍显生疏。详细说明与建议对安全决策具有显著辅助作用。研究表明：在问题跟踪软件中引入类CVSS问答式沟通机制，可有效提升安全交互效能。