Misleading title

[jssmith1]

R2:

The paper is easy to follow but the title „How developers diagnose potential security vulnerabilities with static analysis.“ is somehow misleading. This title suggests that the article is about developers that employ different static analysis tools to identify vulnerabilities. What they actually do is to understand the results of a particular static security analysis tool and to justify a fix for the reported vulnerability.

[jssmith1]

We interpret this to be a question about whether we were studying multiple tools. To clarify this point, we changed the title to: "How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool."

[jssmith1]

• [ ] Update on submission system