Existing automated tools for open-source software (OSS) security vulnerability remediation support only limited strategies (e.g., version downgrades, patch application), despite practitioners employing a far richer and more diverse set of repair practices—yet no systematic empirical study has characterized this landscape. Method: We conducted a large-scale empirical study of 21,187 real-world security issues from GitHub, constructing the first hierarchical taxonomy of 44 repair strategies (RTs) via mixed-method analysis—including data mining, qualitative coding, and dual-dimensional evaluation (effectiveness and cost). Contribution/Results: Our findings reveal critical gaps: 44% of high-frequency strategies (e.g., dependency replacement, path-based mitigation) are unsupported by mainstream tools; 54% of CVE entries lack actionable remediation guidance. Crucially, 93% of security issues contain explicit, implementable fixes. This work delivers the first empirically grounded classification framework to guide automated tool enhancement and vulnerability database enrichment.

In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software (OSS) has become critically important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities. A holistic empirical study is needed to explore the prevalence, distribution, preferences, and effectiveness of these diverse strategies. To this end, in this paper, we conduct a comprehensive study on the taxonomy of vulnerability remediation tactics (RT) in OSS projects and investigate their pros and cons. This study addresses this oversight by conducting a comprehensive empirical analysis of 21,187 issues from GitHub, aiming to understand the range and efficacy of remediation tactics within the OSS community. We developed a hierarchical taxonomy of 44 distinct RT and evaluated their effectiveness and costs. Our findings highlight a significant reliance on community-driven strategies, like using alternative libraries and bypassing vulnerabilities, 44% of which are currently unsupported by cutting-edge tools. Additionally, this research exposes the community's preferences for certain fixing approaches by analyzing their acceptance and the reasons for rejection. It also underscores a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions, a gap that can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.