Open source software (OSS) development is an increasingly important paradigm of software development. However, key aspects of OSS such as the determinants of project success and motivations of developers in joining these projects are not well understood. Based on organizational theory, we propose that OSS activities of patch development and feature request can be classified as exploitation (implementation-oriented) and exploration (innovation-oriented) activities, respectively. We empirically examine how the structure of social network affects the success of patch-development and feature-request networks in OSS projects, using a data set collected from the SourceForge database. Our results provide empirical support for the view that patch development and feature request are exploitation and exploration activities, respectively. Network structures differ due to team formation differences and have a differential impact on development success based on the type of activity. The concepts of ambidextrous developers and ambidexterity are explored in the context of OSS projects. Collectively, our results indicate that studying OSS projects at the artifact level could improve our understanding of OSS project success and team formation. This, in turn, could lead to better management of OSS projects. > >
Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release versus update) and type of vendor (open source versus proprietary) are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.