Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical Security

Building security researcher and developer collaboration

By Hauwa Otori
software developer
February 11, 2022

When a software vulnerability is detected, it can be a stressful event for the software maintainer who oversees the originating code. The developer and security research communities are expected to work together to address potential threats, yet there’s limited understanding about the dynamics between them. On top of this, the security research community lacks standardized vulnerability disclosure processes. Various organizations have developed their own unique processes and methods of communicating vulnerabilities, whether direct through email, triaging reports or ticketed systems.

So what’s top of mind for cybersecurity professionals during a vulnerability management process? And, how can the research community build ongoing partnerships with them?

To bring awareness to these interactions and relationships, the GitHub Security Lab conducted interviews with open source maintainers between November 2020 and March 2021. Here are the top findings from the maintainer’s perspective and three ways to initiate better communication and collaboration between researchers and software developers.

Recent research on software developer and security researcher interactions

At the height of a vulnerability disclosure, developers and security researchers must navigate sharing sensitive information and facilitating critical collaboration to address the security issue. It is understandable that, at times, there has been friction and tension in these relationships.

The research identified three categories of findings: maintainers’ engagement with security researchers, their communication preferences in receiving notice of vulnerabilities and their perception of the disclosure process. Notable insights from maintainer interviews showed that:

  1. Maintainers have minimal ongoing engagement with the security research community. Although a majority of maintainers have little to no engagement with researchers, they are open to learning and receiving foundational information about security research. Beyond vulnerability reports, some maintainers mentioned they engage with security researchers through channels like Twitter, Slack, Discord or conversations with friends in the security industry.
  2. Maintainers recognize their interactions with security researchers as generally positive, however, this is not universally true and largely dependent on the researcher.
  3. Maintainers welcome constructive criticism that is actionable and widely applicable. After receiving a vulnerability report, maintainers experience a range of emotions, including anxiety and stress that can be mitigated by straightforward communication. Additionally, when feedback is shared in a negative way, maintainers may ignore or set boundaries with what type of discussions they will or will not engage in.
  4. Maintainers prefer that reports be submitted to them privately. 
  5. Some maintainers prefer to receive a security notification through a report that has a summary of the problem, an explanation of the specific issue, the vulnerability’s potential impact and advice on remediation. When making suggestions for remediation, maintainers do not see this as a requirement for security researchers to provide but find it helpful when they do, given open source maintainers volunteer their time.
  6. A majority of maintainers highlighted a designated security contact, however, most do not yet have a formal security policy and either want to implement one or are actively working on creating one.
  7. While most agree on the 90-day disclosure deadline as an industry standard, maintainers also want flexibility and more collaboration in determining the timeline.

How to strengthen developer-security researcher ties

Strong relationships between developers and security researchers are essential to securing open source software. Bringing awareness to their current work environment is the first step in creating effective partnerships. Here are a few recommendations on ways to improve communication and collaboration.

  • Engage and initiate communication outside of the vulnerability process. To smooth interactions during a sensitive time like a vulnerability disclosure, communication between security researchers and developers should happen consistently outside of these processes. Encouraging open lines of communication and sharing best practices is one way to start. For example, in this latest study, maintainers expressed interest in seeing resources provided by security teams that share foundational information such as background on common classes of vulnerabilities, vulnerability patterns, how bugs are found, and the security community’s expectations of software developers. Fostering ongoing communication outside of critical vulnerability fixes boosts trust and collaboration before having to work through a disclosure.
  • Respect developer communication preferences and approach outreach in a constructive manner. Knowing developers want to receive straightforward notifications of a vulnerability, security researchers should ensure their outreach is clear, upfront and actionable. All communication should reflect mutual respect and encourage cooperation. As the industry continues to tackle security fixes, there is an opportunity for the research community to share best practices around recent disclosures and communication methods that help developers know what to expect.
  • Explore and trial new methods that involve maintainers in the process of a disclosure and vulnerability fix. Developers and security researchers will always be linked through their work — building and maintaining software and protecting it from potential threats. While security teams create their unique processes for handling vulnerability disclosures, finding new ways to involve developers earlier on in the development of those methods promotes collaboration. Although not always possible at the moment of a disclosure, finding opportunities to explore through post mortems or debriefs with developers can help inform new approaches and ways to engage.

As cybersecurity threats and software supply chain vulnerabilities continue to emerge, the partnership between researchers and developers is vital to protect software development. By understanding the relationship between these stakeholders in a community that lacks standardization, we can work towards more effective methods to address vulnerabilities and build a safer, secure and more collaborative ecosystem.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: cyber security research development employee morale interactive communication interdepartmental cooperation security research software

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Hauwa otori

Hauwa Otori is a Senior Security Researcher at the GitHub Security Lab, where she explores the interactions between developer and security research communities. Additionally, Otori is an attorney with a background in social science research and is a published book author of Children and the Media: Self-Other Perceptions of Occupational Portrayals in the Media.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • DevOps-freepik

    Cloud security should never be a developer issue

    See More
  • computer-screen-with-code.jpg

    Improving IT security through cross-department collaboration

    See More
  • cyber cloud

    Security researcher details exploitation of common misconfigurations in Salesforce Lightning

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!