Self-Admitted Technical Debt (SATD) encompasses a wide array of sub-optimal design and implementation choices reported in software artefacts (e.g., code comments and commit messages) by developers themselves. Such reports have been central to the study of software maintenance and evolution over the last decades. However, they can also be deemed as dreadful sources of information on potentially exploitable vulnerabilities and security flaws. This work investigates the security implications of SATD from a technical and developer-centred perspective. On the one hand, it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories. On the other hand, it delves into developers' perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences. We followed a mixed-methods approach consisting of (i) the analysis of a preexisting dataset containing 8,812 SATD instances and (ii) an online survey with 222 OSS practitioners. We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration (CWE) identifiers. Overall, 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITRE's Top-25 most dangerous ones. The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives. However, they also consider such a practice risky as it may facilitate vulnerability exploits. Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks.

翻译：自我承认的技术债务（SATD）涵盖了开发者自身在软件制品（如代码注释和提交信息）中报告的各种次优设计与实现选择。这类报告在过去数十年间一直是软件维护与演化研究的核心内容，然而它们也可能成为揭示可被利用漏洞和安全隐患的危险信息源。本研究从技术视角和开发者视角出发，探究SATD的安全影响。一方面，我们分析SATD源中披露的安全指针能否用于刻画开源软件（OSS）项目及仓库中的漏洞特征；另一方面，深入探究开发者对该实践背后动机、普遍性及潜在负面影响的认知。我们采用混合研究方法，包括：（i）分析包含8,812个SATD实例的现有数据集；（ii）对222名开源软件从业者进行在线问卷调查。通过数据集分析收集201个SATD实例，并将其映射至不同通用弱点枚举（CWE）标识符。在提交信息、拉取请求、代码注释和议题板块中共发现25种不同类型的CWE，其中8种位列MITRE最具危险性前25强。问卷调查显示，软件从业者常在SATD制品中植入安全指针以促进团队安全文化、帮助识别脆弱代码段等。然而他们也认为此类实践存在风险，可能助长漏洞利用。研究结果表明，维护散布在SATD制品中安全指针的上下文完整性，对于保护商业及开源软件免受零日攻击至关重要。