There has been a long-standing hypothesis that a software's popularity is related to its security or insecurity in both research and popular discourse. There are also a few empirical studies that have examined the hypothesis, either explicitly or implicitly. The present work continues with and contributes to this research with a replication-motivated large-scale analysis of software written in the PHP programming language. The dataset examined contains nearly four hundred thousand open source software packages written in PHP. According to the results based on reported security vulnerabilities, the hypothesis does holds; packages having been affected by vulnerabilities over their release histories are generally more popular than packages without having been affected by a single vulnerability. With this replication results, the paper contributes to the efforts to strengthen the empirical knowledge base in cyber and software security.
View on arXiv@article{ruohonen2025_2502.16670,
title={ The Popularity Hypothesis in Software Security: A Large-Scale Replication with PHP Packages },
author={ Jukka Ruohonen and Qusai Ramadan },
journal={arXiv preprint arXiv:2502.16670},
year={ 2025 }
}