{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2018:7Q2RJKSJFZK2HLKI55FLYQ7MYC","short_pith_number":"pith:7Q2RJKSJ","schema_version":"1.0","canonical_sha256":"fc3514aa492e55a3ad48ef4abc43ecc0bc2cb2ad8c073907d651ddaf703d9f0c","source":{"kind":"arxiv","id":"1808.10062","version":2},"attestation_state":"computed","paper":{"title":"Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Andrew J. Lohn","submitted_at":"2018-08-29T23:05:08Z","abstract_excerpt":"Zero-day vulnerabilities can be accidentally or maliciously placed in code and can remain in place for years. In this study, we address an aspect of their longevity by considering the likelihood that they will be discovered in the code across versions. We approximate well-disguised vulnerabilities as only being discoverable if the relevant lines of code are explicitly examined, and obvious vulnerabilities as being discoverable if any part of the relevant file is examined. We analyze the version-to-version changes in three types of open source software (Mozilla Firefox, GNU/Linus, and glibc) to"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"1808.10062","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-08-29T23:05:08Z","cross_cats_sorted":[],"title_canon_sha256":"0096473e80bbe2abba517476e0903043dd215fa68190cc33aea9fe1a7f6101e6","abstract_canon_sha256":"823ec9058d3772b33eb1ab10f685f6d5729f6228eb95b10e35e0761d7e4db1f1"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:06:44.666013Z","signature_b64":"3vkO+63ZbBseZUrAqF7PWUpiAxx1JvrltTAh87RzOnhlh6A3jftY4+Pc48Yh4OfBNCVX7qD3NvXDrDckpwbCBg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"fc3514aa492e55a3ad48ef4abc43ecc0bc2cb2ad8c073907d651ddaf703d9f0c","last_reissued_at":"2026-05-18T00:06:44.665639Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:06:44.665639Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Andrew J. Lohn","submitted_at":"2018-08-29T23:05:08Z","abstract_excerpt":"Zero-day vulnerabilities can be accidentally or maliciously placed in code and can remain in place for years. In this study, we address an aspect of their longevity by considering the likelihood that they will be discovered in the code across versions. We approximate well-disguised vulnerabilities as only being discoverable if the relevant lines of code are explicitly examined, and obvious vulnerabilities as being discoverable if any part of the relevant file is examined. We analyze the version-to-version changes in three types of open source software (Mozilla Firefox, GNU/Linus, and glibc) to"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1808.10062","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"1808.10062","created_at":"2026-05-18T00:06:44.665700+00:00"},{"alias_kind":"arxiv_version","alias_value":"1808.10062v2","created_at":"2026-05-18T00:06:44.665700+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1808.10062","created_at":"2026-05-18T00:06:44.665700+00:00"},{"alias_kind":"pith_short_12","alias_value":"7Q2RJKSJFZK2","created_at":"2026-05-18T12:32:11.075285+00:00"},{"alias_kind":"pith_short_16","alias_value":"7Q2RJKSJFZK2HLKI","created_at":"2026-05-18T12:32:11.075285+00:00"},{"alias_kind":"pith_short_8","alias_value":"7Q2RJKSJ","created_at":"2026-05-18T12:32:11.075285+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC","json":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC.json","graph_json":"https://pith.science/api/pith-number/7Q2RJKSJFZK2HLKI55FLYQ7MYC/graph.json","events_json":"https://pith.science/api/pith-number/7Q2RJKSJFZK2HLKI55FLYQ7MYC/events.json","paper":"https://pith.science/paper/7Q2RJKSJ"},"agent_actions":{"view_html":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC","download_json":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC.json","view_paper":"https://pith.science/paper/7Q2RJKSJ","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=1808.10062&json=true","fetch_graph":"https://pith.science/api/pith-number/7Q2RJKSJFZK2HLKI55FLYQ7MYC/graph.json","fetch_events":"https://pith.science/api/pith-number/7Q2RJKSJFZK2HLKI55FLYQ7MYC/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC/action/timestamp_anchor","attest_storage":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC/action/storage_attestation","attest_author":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC/action/author_attestation","sign_citation":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC/action/citation_signature","submit_replication":"https://pith.science/pith/7Q2RJKSJFZK2HLKI55FLYQ7MYC/action/replication_record"}},"created_at":"2026-05-18T00:06:44.665700+00:00","updated_at":"2026-05-18T00:06:44.665700+00:00"}