Vulnerability Webs: Systemic Risk in Software Networks

Abstract

Software development relies on code reuse to minimize costs, creating vulnerability risks through dependencies with substantial economic impact, as seen in the Crowdstrike and HeartBleed incidents. We analyze 52,897 dependencies across 16,102 Python repositories using a strategic network formation model incorporating observable and unobservable heterogeneity. Through variational approximation of conditional distributions, we demonstrate that dependency creation generates negative externalities. Vulnerability propagation, modeled as a contagion process, shows that popular protection heuristics are ineffective. AI-assisted coding, on the other hand, offers an effective alternative by enabling dependency replacement with in-house code.