Recurrent reintroduction of software vulnerabilities after patching reveals deep coupling between development processes and socio-technical factors. Method: This work innovatively analyzes security fixes at the commit level—not file level—integrating longitudinal process metrics (e.g., bus factor, issue density, issue decay) with code change sequences to systematically identify 76 vulnerability reintroductions in ImageMagick. Contribution/Results: We find that reintroduction is significantly associated with accelerated issue decay and anomalous fluctuations in issue density, confirming it as a consequence of cumulative development activity and deteriorating team collaboration. This study is the first to jointly model the dynamic evolution of process metrics and the vulnerability lifecycle, yielding actionable insights for early risk detection and resilience-oriented development practices.

Software vulnerabilities often persist or re-emerge even after being fixed, revealing the complex interplay between code evolution and socio-technical factors. While source code metrics provide useful indicators of vulnerabilities, software engineering process metrics can uncover patterns that lead to their introduction. Yet few studies have explored whether process metrics can reveal risky development activities over time -- insights that are essential for anticipating and mitigating software vulnerabilities. This work highlights the critical role of process metrics along with code changes in understanding and mitigating vulnerability reintroduction. We move beyond file-level prediction and instead analyze security fixes at the commit level, focusing not only on whether a single fix introduces a vulnerability but also on the longer sequences of changes through which vulnerabilities evolve and re-emerge. Our approach emphasizes that reintroduction is rarely the result of one isolated action, but emerges from cumulative development activities and socio-technical conditions. To support this analysis, we conducted a case study on the ImageMagick project by correlating longitudinal process metrics such as bus factor, issue density, and issue spoilage with vulnerability reintroduction activities, encompassing 76 instances of reintroduced vulnerabilities. Our findings show that reintroductions often align with increased issue spoilage and fluctuating issue density, reflecting short-term inefficiencies in issue management and team responsiveness. These observations provide a foundation for broader studies that combine process and code metrics to predict risky fixes and strengthen software security.