Context: Coordination is
a fundamental tenet of software engineering. Coordination is required
also for identifying discovered and disclosed software vulnerabilities
with Common Vulnerabilities and Exposures (CVEs). Motivated by recent
practical challenges, this paper examines the coordination of CVEs for
open source projects through a public mailing list.

Objective:
The paper observes the historical time delays between the assignment of
CVEs on a mailing list and the later appearance of these in the
National Vulnerability Database (NVD). Drawing from research on software
engineering coordination, software vulnerabilities, and bug tracking,
the delays are modeled through three dimensions: social networks and
communication practices, tracking infrastructures, and the technical
characteristics of the CVEs coordinated.

Method:
Given a period between 2008 and 2016, a sample of over five thousand
CVEs is used to model the delays with nearly fifty explanatory metrics.
Regression analysis is used for the modeling.

Results:
The results show that the CVE coordination delays are affected by
different abstractions for noise and prerequisite constraints. These
abstractions convey effects from the social network and infrastructure
dimensions. Particularly strong effect sizes are observed for annual and
monthly control metrics, a control metric for weekends, the degrees of
the nodes in the CVE coordination networks, and the number of references
given in NVD for the CVEs archived. Smaller but visible effects are
present for metrics measuring the entropy of the emails exchanged,
traces to bug tracking systems, and other related aspects. The empirical
signals are weaker for the technical characteristics.

Conclusion:
Software vulnerability and CVE coordination exhibit all typical traits
of software engineering coordination in general. The coordination
perspective elaborated and the case studied open new avenues for further
empirical inquiries as well as practical improvements for the
contemporary CVE coordination.