HATCH: Handling Vulnerabilities in the Value Chain

Important results from the project

The project shows that it is possible to support those who develop components and those who integrate systems when it comes to communicating vulnerabilities in open source. From the development and test use, we have gained an understanding of which functions must be supported in tools for this. From the integrator´s point of view, e.g., systems and vulnerabilities must be divided and sorted because there are so many vulnerabilities, but only a few are relevant. Developing organizations must, e.g., have the opportunity to comment on vulnerabilities both for internal and external use.

Expected long term effects

A first version of a tool to facilitate communication open source vulnerabilities between product developers and system integrators has been developed. Based on the research done during the project, we believe that this type of communication can improve the work with vulnerabilities for several different types of systems. The interest in vulnerabilities is still large and many companies work with processes to analyze and fix this type of problem, not least in open source components.

Approach and implementation

The project has been run as a collaboration between researchers, product developers, system integrators and tool developers. Literature studies and case studies with the goal to provide an understanding of how work with vulnerabilities is conducted in industry have been combined with the development of a system for communication about vulnerabilities between developers and integrators. Early versions of the developed tool have been tested with the aim of investigating details of what information is to be communicated and how it is to be filtered.

External links

Projektets sida i Lunds Universitets forskningsportal