This study addresses the critical problem of CVE assignment delays in open-source software, which impede timely security responses by downstream projects. We conduct the first systematic modeling and empirical analysis of the end-to-end vulnerability propagation process across GitHub Security Advisories (3,798 entries) and bug bounty reports (4,033 submissions). Leveraging cross-source data alignment, fine-grained vulnerability lifecycle tracking, and statistical analysis, we identify at least 63,852 publicly disclosed yet unassigned vulnerabilities. We empirically confirm that CVE assignment delay constitutes a key bottleneck causing patch omission in dependent projects and quantify its cascading impact on ecosystem-wide security updates. Our findings expose a structural misalignment between the CVE assignment mechanism and collaborative ecosystem response. To bridge this gap, we propose a practical, actionable framework for coordinated optimization of vulnerability disclosure, CVE numbering, and downstream notification—providing both theoretical foundations and implementable pathways to enhance the timeliness of open-source supply chain security responses.

In the world of open-source software (OSS), the number of known vulnerabilities has tremendously increased. The GitHub Advisory Database contains advisories for security risks in GitHub-hosted OSS projects. As of 09/25/2023, there are 197,609 unreviewed GitHub security advisories. Of those unreviewed, at least 63,852 are publicly documented vulnerabilities, potentially leaving many OSS projects vulnerable. Recently, bug bounty platforms have emerged to focus solely on providing bounties to help secure OSS. In this paper, we conduct an empirical study on 3,798 reviewed GitHub security advisories and 4,033 disclosed OSS bug bounty reports, a perspective that is currently understudied, because they contain comprehensive information about security incidents, e.g., the nature of vulnerabilities, their impact, and how they were resolved. We are the first to determine the explicit process describing how OSS vulnerabilities propagate from security advisories and bug bounty reports, which are the main intermediaries between vulnerability reporters, OSS maintainers, and dependent projects, to vulnerable OSS projects and entries in global vulnerability databases and possibly back. This process uncovers how missing or delayed CVE assignments for OSS vulnerabilities result in projects, both in and out of OSS, not being notified of necessary security updates promptly and corresponding bottlenecks. Based on our findings, we provide suggestions, actionable items, and future research directions to help improve the security posture of OSS projects.