Patchworking: Exploring the code changes induced by vulnerability fixing activities

•Vulnerabilities of the same types are often resolved by applying similar code transformations.•Security patches to CWE-264 vulnerabilities involve more files than the other vulnerabilities.•Vulnerabilities caused by improper data handling entail the addition of new methods.•Vulnerabilities caused by improper input/output sanitization require the addition of new conditional branches.