In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software (OSS) has become critically important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities. A holistic empirical study is needed to explore the prevalence, distribution, preferences, and effectiveness of these diverse strategies. To this end, in this paper, we conduct a comprehensive study on the taxonomy of vulnerability remediation tactics (RT) in OSS projects and investigate their pros and cons. This study addresses this oversight by conducting a comprehensive empirical analysis of 21,187 issues from GitHub, aiming to understand the range and efficacy of remediation tactics within the OSS community. We developed a hierarchical taxonomy of 44 distinct RT and evaluated their effectiveness and costs. Our findings highlight a significant reliance on community-driven strategies, like using alternative libraries and bypassing vulnerabilities, 44% of which are currently unsupported by cutting-edge tools. Additionally, this research exposes the community's preferences for certain fixing approaches by analyzing their acceptance and the reasons for rejection. It also underscores a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions, a gap that can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.

翻译：在快速演进的软件开发领域，解决开源软件（OSS）中的安全漏洞已变得至关重要。然而，学术界和工业界现有的研究与工具主要依赖有限的解决方案（如易受攻击版本调整和采用补丁）来处理已识别的漏洞。实际上，开源社区中已积极采用了更为灵活多样的应对措施。需要进行全面的实证研究来探索这些多样化策略的普遍性、分布、偏好及有效性。为此，本文对OSS项目中漏洞修复策略（RT）的分类体系进行了全面研究，并探讨了其优缺点。本研究通过对GitHub上21,187个问题进行全面实证分析，旨在理解OSS社区内修复策略的范围和效能，从而弥补这一研究空白。我们构建了一个包含44种不同RT的层次化分类体系，并评估了其有效性和成本。我们的研究结果突显了社区驱动策略（如使用替代库和绕过漏洞）的重要依赖，其中44%的策略目前尚未得到尖端工具的支持。此外，本研究通过分析修复方法的接受度及拒绝原因，揭示了社区对特定修复方式的偏好。研究还指出现代漏洞数据库中的一个关键缺陷：54%的CVE条目缺乏修复建议，而利用GitHub问题中提供的93%可操作解决方案可显著弥补这一不足。