Open-Source Software Security

Why are you contacting me?

We are conducting interviews to learn the processes open-source software (OSS) developers use when they think about threats to their software. Our goal is to understand these processes so that we can create more efficient and effective practices for finding threats and communicating these threats to other developers.

Who are you?

We are a group of academic researchers from Tufts University, Leibniz University Hannover, and CISPA who are passionate about cybersecurity research as well as improving OSS security.

What happens if I want to participate?

If you choose to participate, you can follow this link to take the screening survey, which will ask you some basic questions about your association with OSS, along with a couple general questions about the size of the project(s) you work on. We will ask that you provide us a link to a public profile that confirms that you contribute to OSS. We will delete your link once we have determined you qualify. Your profile will be used to determine your qualification only, and it will not be included in our analysis or results.

We will select some qualified individuals to participate in 60-75 minute interviews, where we will ask about the process(es) you use when thinking about threats to your projects, and how you communicate this information with others. We will record our interview to make sure we get your words accurately. You may turn off your camera if you do not want video recorded. If you want to answer a question but do not want it recorded, please let us know, and we will turn off the recording during that question. If at any point you would like to share potentially condfidential information that you think is important for the context but feel uncomfortable recording or have realized you have shared confidential information that you would not like recorded, please let us know. We will either temporarily turn off the recording and taking notes, or erase the included confidential information from the recording and remove it from our notes. When the interview is complete, we will send the recording (after we have removed any portions that you do not want recorded) to a third-party transcription service. We have a Non-Disclosure Agreement in effect with this transcription service. After the transcription accuracy has been confirmed, we will delete the recordings. Summary statistics and anonymized interview quotes may be shared in our research findings and for future research without your additional consent.

I am concerned about my data security and privacy!

Fantastic! So are we! All your data will be kept confidential and will be accessible only to the researchers listed on this webpage. If you are selected for an interview, we will ask to record the interview to make sure we get your words accurately. If at any point during the interview you would like us to pause recording, we will do so. If you would like us to remove a portion of the recording or remove references to something you said from our notes, we will do so. We will never share your name, the name of projects you work on, or any other information that could be used to identify you or your project. If you have any questions or concerns, please contact any member of our research team.

What’s in it for me?

Our goal is to learn how OSS contributors think about threats to their projects, including finding and mitigating threats, and communicating threat information to other developers and users. If you participate in an interview, you will receive a $40 Amazon or Tango gift card. The survey portion is not paid. Additionally, we hope the information we gather will help create easier, more efficient, and more effective threat-finding practices for OSS projects.

Why are people in Mainland China not eligible to participate?

Due to the recently enacted Personal Information Protection Law (PIPL), we are not accepting participants who are located in Mainland China (defined as areas within the People's Republic of China, excluding the Special Administrative Regions of Hong Kong and Macao). All of our research activities are scrutinized by the Tufts Social, Behavioral, and Educational Research Institutional Review Board (Tufts SBER IRB) to ensure the safety of our participants. Though Tufts SBER IRB maintains high standards to ensure participants' personal information is stored securely, they have not reviewed whether our data protection practices are in compliance with PIPL. PIPL applies to all natural individuals within the borders of Mainland China regardless of citizenship.

What happens if I do not want to participate?

Nothing. If you begin the survey but change your mind, you can exit the survey at any time, and any information entered up to that point will not be recorded. If you participate in an interview, you can choose to turn your camera off to avoid being video recorded. You may skip a question if you do not feel comfortable answering it. If you disclose any information that you would later like to remove, we will remove it from our notes and the interview transcript. If you choose to end the interview early, we will delete all copies of notes and recordings of our interview.

It is your decision whether or not to participate. Participation is completely voluntary, and your decision not to participate will not affect any resources to which you are already entitled.

---