[Paper] Characterizing and Modeling the GitHub Security Advisories Review Pipeline

Source: arXiv - 2602.06009v1

Overview

GitHub Security Advisories (GHSA) are now a cornerstone for reporting and consuming open‑source vulnerability information. Yet only a subset of these advisories go through a formal review by GitHub, and the inner workings of that review pipeline have been largely opaque. This paper presents the first large‑scale empirical analysis of the GHSA review process, uncovering how advisories flow through the system, what drives review speed, and how the pipeline can be modeled mathematically.

Key Contributions

• Comprehensive dataset: Collected and analyzed 288 K+ GHSA entries spanning 2019‑2025, the most extensive study of its kind.
• Review likelihood model: Identified concrete factors (e.g., advisory source, severity, repository activity) that predict whether an advisory will be reviewed by GitHub.
• Latency regimes: Discovered two distinct latency patterns—a “fast path” for GitHub Repository Advisories (GRAs) and a “slow path” for advisories that first appear in the National Vulnerability Database (NVD).
• Queueing‑theory model: Built a two‑stage queueing model that accurately reproduces observed review‑time distributions and explains the dichotomy between fast and slow paths.
• Actionable insights: Provided concrete recommendations for maintainers, security tooling vendors, and GitHub to improve advisory handling and reduce review bottlenecks.

Methodology

1. Data collection: The authors harvested every public GHSA record via the GitHub GraphQL API, enriching it with metadata from the NVD, repository activity logs, and vulnerability scanners.
2. Feature engineering: Each advisory was annotated with attributes such as source type (GRA vs. NVD‑first), CVSS score, number of affected packages, and the activity level of the owning repository.
3. Statistical analysis: Logistic regression and survival‑analysis techniques were used to quantify the probability of review and the distribution of review delays.
4. Model construction: Inspired by classic queueing theory, the pipeline was abstracted into two parallel service stations (fast and slow). Service‑time distributions were fitted to the empirical latency data, yielding a closed‑form model that predicts overall review throughput.
5. Validation: The model’s predictions were compared against a hold‑out set of advisories, achieving a mean absolute error of < 1 day for fast‑path advisories and < 7 days for slow‑path ones.

Results & Findings

• Review probability: Roughly 38 % of all GHSA entries receive a formal GitHub review. GRAs have a 71 % review rate, while NVD‑first advisories drop to 22 %.
• Latency split: Fast‑path advisories are typically reviewed within 2‑4 days, whereas slow‑path advisories exhibit a heavy‑tailed distribution with a median of 23 days and outliers beyond 90 days.
• Key predictors: Source type, CVSS severity, and the presence of a dedicated security team in the repository are the strongest determinants of both review likelihood and speed.
• Model accuracy: The two‑stage queueing model reproduces the observed bimodal latency distribution (R² = 0.92) and can forecast the impact of changes such as adding more reviewers to the slow path.

Practical Implications

• For maintainers: Submitting advisories as GRAs (i.e., directly through the GitHub UI) dramatically increases the chance of rapid review. Providing rich metadata (severity, affected versions) further speeds the process.
• For security tooling vendors: Knowing the latency regime helps prioritize which advisories to surface to end‑users; fast‑path advisories can be treated as “high‑confidence” updates, while slow‑path ones may warrant additional verification.
• For GitHub: The queueing model offers a decision‑support tool to allocate reviewer resources dynamically—e.g., scaling the slow‑path team during vulnerability spikes reduces overall backlog.
• For the broader ecosystem: Understanding the review pipeline enables better integration of GHSA data into CI/CD pipelines, automated dependency‑update bots, and risk‑assessment dashboards, leading to faster patch adoption.

Limitations & Future Work

• Data freshness: The study covers advisories up to early 2025; any policy changes at GitHub after that point are not reflected.
• External factors: The model does not account for human factors such as reviewer expertise or workload fluctuations due to holidays.
• Generalizability: While the queueing framework fits GHSA well, applying it to other vulnerability‑disclosure platforms (e.g., OSV, PyPI) may require additional calibration.

Future research directions include extending the model to multi‑stage pipelines (e.g., incorporating community triage), exploring the impact of automated advisory generation, and evaluating how reviewer incentives affect overall system throughput.

Authors

• Claudio Segal
• Paulo Segal
• Carlos Eduardo de Schuller Banjar
• Felipe Paixão
• Hudson Silva Borges
• Paulo Silveira Neto
• Eduardo Santana de Almeida
• Joanna C. S. Santos
• Anton Kocheturov
• Gaurav Kumar Srivastava
• Daniel Sadoc Menasché

Paper Information

• arXiv ID: 2602.06009v1
• Categories: cs.CR, cs.SE
• Published: February 5, 2026
• PDF: Download PDF