Empirical research on security weaknesses in virtual reality (VR) software remains scarce, and public vulnerability databases provide inadequate coverage of VR-specific issues. Method: We construct the first systematic VR security weakness dataset, comprising 1,681 security issues across 334 open-source VR projects on GitHub. We propose an automated identification and classification framework that mines commit histories, integrating static analysis and pattern matching to trace the introduction time, persistence duration, and remediation trajectory of each weakness throughout its lifecycle. Results: Our analysis reveals that UI-related weaknesses are the most prevalent; security risks in the VR development toolchain exceed those at the application layer; and over half of all weaknesses are introduced during early project stages. This work fills a critical gap in empirical VR security research and provides foundational insights for designing targeted defense mechanisms.

Virtual Reality (VR) has emerged as a transformative technology across industries, yet its security weaknesses, including vulnerabilities, are underinvestigated. This study investigates 334 VR projects hosted on GitHub, examining 1,681 software security weaknesses to understand: what types of weaknesses are prevalent in VR software; {em when} and {em how} weaknesses are introduced; how long they have survived; and how they have been removed. Due to the limited availability of VR software security weaknesses in public databases (e.g., the National Vulnerability Database or NVD), we prepare the {first systematic} dataset of VR software security weaknesses by introducing a novel framework to collect such weaknesses from GitHub commit data. Our empirical study on the dataset leads to useful insights, including: (i) VR weaknesses are heavily skewed toward user interface weaknesses, followed by resource-related weaknesses; (ii) VR development tools pose higher security risks than VR applications; (iii) VR security weaknesses are often introduced at the VR software birth time.