Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities
4 hours ago
- #bug-fixing
- #kernel-vulnerabilities
- #code-review
- 117 super-reviewers catch bugs 47% faster than average.
- Self-fixed bugs have a lifetime of 0.88 years vs. 2.59 years for cross-fixes.
- Weekend commits are 8% less likely to introduce vulnerabilities but take 45% longer to fix.
- Race conditions are the hardest bugs to find, with an average lifetime of 5.0 years.
- Intel introduces the most bugs (14,000) due to contributing the most code.
- Subsystems like drivers/can and networking/sctp have longer-lived bugs due to fewer maintainers.
- Specialized models for subsystems like networking and arch/arm64 could improve bug detection by 5-15%.
- Combining all recommendations could reduce average bug lifetime by 35%.