Software vulnerabilities can cause tremendous operational and financial damage to individuals and organisations in the event of cyber attacks. For example, the recent Log4J vulnerability can make millions of systems worldwide open to cyber attacks and potentially cause billions of dollars of damage. Software Vulnerability Management (SVM) is a critical process during software development to ensure software security and prevent these dangerous cyber attacks. SVM typically contains various phases such as detection, assessment, prioritisation, fixing/patching and reporting/disclosure. In the last 10 years, there has been an unprecedented rise in the size and complexity of software systems. For instance, the codebase of Google services contains more than two billion lines of code. This in turn requires new technologies, tools, and practices for SVM to ensure the security of such systems.

The International Workshop on Software Vulnerability Management (SVM) is a venue that aims to bring together academics, industry and government practitioners to present and discuss the state-of-the-art and state-of-the-practice of SVM to support both current and emerging software technologies and infrastructures.


Applying psychological theories to improve software vulnerability management

The Cyber security community has spent great efforts to emphasise the importance of security by design. Unfortunately, industries’ push to market too soon often hampers their efforts. Although there has been some improvement in this space, including tools to support software developers, much work is needed to motivate and improve software engineers' practices in the prevention, detection, and response to security flaws by design. This paper highlights psychological theories, such as attribution theories and heuristics, that might inform software engineers about potential cognitive biases that may lead to insecure design. Moreover, it draws from social psychological theories often applied to management (e.g., social identity theory, adaptive leadership) that may help software engineers better organise their teams to collectively work to improve upon developing secure software.


Prof. Monica Whitty

Monash University

Professor Monica Whitty is the Head of Department of Software Systems and Cybersecurity and is Professor of Human Factors in Cyber Security. She has been a member of the World Economic Forum Cyber Security Centre and was a member of the WEF Cyber Security Global Futures Committee.

Prof Whitty's academic career began in Australia working at Macquarie University and the University of Western Sydney, before moving to the UK (2003) and then returning home to Australia (2018). In the UK she worked for universities in the Russell Group (Queen's University, Belfast; University of Warwick), and The 1994 Group Universities (University of Leicester). In Australia, she previously worked at the University of Melbourne before commencing her post at UNSW in 2020. She was the founder and the Director of the UNSW Institute for Cyber Security (IFCYBER). Professor Whitty has worked in a GCHQ accredited Cyber Security Centre in the UK at the University of Warwick and has held an honorary post at the University of Oxford at the Oxford Martin School and the Oxford Internet Institute, and an honorary Professorship at the Institute of Royal Holloway, University of London.

Monica has extensive experience in leading large interdisciplinary, international teams on funded projects. Professor Whitty has been awarded significant research funding and has led most of her projects. She has extensive experience in teaching at all levels and in the development of successful Masters courses.

Prof Whitty is the author of over 100 articles and 5 books. She is a leading expert on cyber fraud (esp. romance scams), identities created in cyberspace, online security risks, behaviour in cyberspace, insider threat, as well as detecting and preventing deception, such as cyberscams and mis/disinformation. Monica is also currently on a talkback radio program on ABC Cairns to provide help and feedback to prevent scam victimization.

Call for papers

The International Workshop on Software Vulnerability Management (SVM) invites academia, industry, and governmental entities to submit original research papers and demos (hands-on or videos) concerning the advances and practices of software vulnerability management from both technical and socio-technical perspectives.

The suggested topics include but not limited to:

  • Requirements engineering for SVM
  • Techniques and practices of threat modeling (including mixed-methods)
  • Methodology and processes for SVM
  • Static/dynamic analysis tools for SVM
  • AI-driven techniques for SVM (AI4SVM)
  • SVM for AI-based systems (SVM4AI)
  • Socio-technical aspects of SVM
  • Human-AI collaboration for SVM
  • Empirical study of SVM tools and/or practices (including mixed-methods)
  • SVM in software development lifecycle
  • SVM in software supply chain security
  • Mining software repositories for SVM
  • Datasets for SVM
  • Data quality for SVM analytics
  • Software infrastructures for SVM
  • SVM for infrastructure-as-code and/or virtualised infrastructures
  • SVM for DevOps
  • SVM for emerging software systems (e.g., blockchain, virtual, augmented, mixed reality, and quantum systems)

Submission Types

The SVM workshop welcomes two types of submissions:

  • Full Papers: up to eight pages, including references. These full papers are expected to describe original contributions to research and/or practice for SVM. We also welcome experience or industrial reports. Although these papers can include work-in-progress work, the authors must outline a clear plan moving forward. The accepted papers will be allocated 10 to 15 minutes for presentation.
  • Short Papers: up to four pages, including references. These short papers are expected to present emerging ideas papers or visions for the SVM field, or new datasets and tools for SVM that can be accompanied by either hands-on or recorded demos. The papers that are overly focused on the advertisement of a product or service, rather than discussing interesting findings and insights gained from the use of a product or operation of a service, are heavily discouraged. The accepted short papers will be allocated 4 to 7 minutes for presentation.

How to Submit

We adopt the guidelines of ICSE 2023 paper submission for the SVM workshop. Specifically, submissions must conform to the IEEE conference proceedings template, specified in the IEEE Conference Proceedings Formatting Guidelines (title in 24pt font and full text in 10pt type, LaTeX users must use \documentclass[10pt,conference]{IEEEtran} without including the compsoc or compsocconf options).

When submitting to the workshop, authors acknowledge that they conform to the authorship policy of the ACM, and the authorship policy of the IEEE.

Authors are strongly encouraged to share the artifacts (e.g., data, code, and models) in the submissions, whenever possible, as per the Open Science Policy of ICSE 2023.

The submissions need to be made to HotCRP at https://svmconf2023.hotcrp.com/.

Double-Anonymous Review Process

As per the ICSE 2023 guidelines, papers and abstracts submitted for review must be anonymous: (1) Authors' names and affiliations must be omitted; (2) All of the references to the authors' previous work need to be done in the third person, as though it were written by someone else; (3) When referring to or including a website (e.g., GitHub) that contains source code, tools, or other supplemental materials, the link in the submission and the website itself must not contain the authors' names and/or affiliations; (4) Avoid using the submission title when sharing/discussing the submission publicly during the review process; (5) Avoid mentioning the paper/preprint uploaded to a public repository (e.g., Arxiv) is under submission to the workshop. Each paper will then be anonymously reviewed by at least three experts that do not have a conflict of interest with the author(s). Papers or abstracts that are not properly anonymized may be desk rejected without review.

Conflicts of Interest

We seriously consider Conflicts of Interest during the paper review. Both authors and program committee members are encouraged to cooperate to prevent submissions from being evaluated by reviewers having a conflict of interest with any of the authors. The authors and reviewers can refer to the ACM Conflict of Interest Policy for identifying a conflict of interest.

Ethics Policies

If the research involves human participants/subjects, the authors must adhere to the ACM Publications Policy on Research Involving Human Participants and Subjects. Upon submitting, authors will declare their compliance to such a policy.

If the submission describes, or otherwise takes advantage of, newly discovered software vulnerabilities or cyber attacks, the authors should disclose these vulnerabilities to the vendors/maintainers of affected systems prior to the submission deadline. When disclosure is necessary, authors are expected to include a statement within their submission and/or final paper about steps taken to fulfill the goal of responsible disclosure.

Important Dates

  • Papers Submission deadline - January 13, 2023 January 20, 2023 (AoE time)
  • Papers Acceptance Notification - February 24, 2023 (AoE time)
  • Papers Camera Ready - March 17, 2023 (AoE time)
  • Date of Workshop - May 20, 2023 (AoE time)

Program Committee

  • Andy Meneely, Rochester Institute of Technology, USA.
  • Amiangshu Bosu, Wayne State University, USA.
  • Zhiyuan Wan, Zhejiang University, China.
  • Joanna C. S. Santos, University of Notre Dame, USA.
  • Gias Uddin, University of Calgary, Canada.
  • Hoa K. Dam, University of Wollongong, Australia.
  • Jingyue Li, Norwegian University of Science and Technology, Norway.
  • Lingxiao Jiang, Singapore Management University, Singapore.
  • Hongyu Zhang, University of Newcastle, Australia.
  • Zaida Codabux, University of Saskatchewan, Canada.
  • Kristen Moore, Data61, Australia.
  • Monica Whitty, Monash University, Australia.
  • Xiaoning Du, Monash University, Australia.
  • Sharif Abuadbba, Data61, Australia.
  • Karen Renaud, University of Strathclyde, United Kingdom.
  • Chadni Islam, The University of Adelaide, Australia.
  • Roland , The University of Adelaide, Australia.
  • Tina Wu, Data61, Australia.
  • Fabio Massacci, University of Trento, Italy.
  • Ranindya Paramitha, University of Trento, Italy.
  • Antonino Sabetta, SAP Security Research, France.
  • Jamal El Hachem, University of South Brittany, France.
  • Nan Messe, University of Toulouse - Jean Jaurès, France.
  • Nicolás E. Díaz Ferreyra, Hamburg University of Technology, Germany.
  • Steven Arzt, Fraunhofer SIT, Germany.

Organizing Committee

General Chairs

  • Muhammad Ali Babar, The University of Adelaide, Australia.
  • Awais Rashid, University of Bristol, United Kingdom.
  • Triet Huynh Minh Le, The University of Adelaide, Australia.

Proceedings Chair

  • Chadni Islam, The University of Adelaide, Australia.

Publicity Chair

  • Roland Croft, The University of Adelaide, Australia.

Web Chair

  • Liuyue Jiang, The University of Adelaide, Australia.

Accepted Papers

# Title/Authors
An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories
A Static Analysis Platform for Investigating Security Trends in Repositories
Identifying missing relationships of CAPEC attack patterns by transformer models and graph structure
VrT: Vulnerabilities Reports Tagger Machine Learning Driven Cybersecurity Tool for Vulnerability Classification


Sat 20 May

This program is tentative and subject to change.

Time Title Who
9:15am Opening Prof. Ali Babar and Dr. Triet Le
9:30am Keynote: Applying psychological theories to improve software vulnerability management Prof. Monica Whitty
10:30am Morning tea
11:00am Paper Session 1 - Vulnerability Analytics

A Static Analysis Platform for Investigating Security Trends in Repositories
An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories

Authors of paper 1 and paper 2
11:40am Group forming and discussion: SVM gaps between academia and practice
12:30pm Lunch
14:00pm Keynote TBD
15:15pm Afternoon tea
15:45pm Invited talk: Software Security: Goals, Planned R&D and Progress on multi-million dollar project
16:15pm Paper Session 2 - ML for SVM

VrT: Vulnerabilities Reports Tagger Machine Learning Driven Cybersecurity Tool for Vulnerability Classification
Identifying missing relationships of CAPEC attack patterns by transformer models and graph structure

Authors of paper 3 and paper 4
16:50pm Closing