Security Watch

Keeping Track of patches and hacks in the IT security world.

What's Behind Drop in 2007 Vulnerability Counts?

For the first time since people started keeping track of this stuff, 2007 saw a noticeable decline in publicly reported security vulnerabilities.

In fact, according to data from IBM ISS X-Force, there was a 5.4 percent decline in new vulnerability disclosures from the previous year, a drop that could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.

Here's the chart:

ISS_2007_vulncount.gif

As you can see, 2005 and 2006 saw huge jumps (approximately 41 percent each year) that were well above the historical average (27 percent a year), according to X-Force internal statistics.

Although there was a decrease in overall vulnerabilities, the company said high priority vulnerabilities increased by 28 percent, suggesting that researchers could simply be focusing on the sometimes more difficult, high-priority finds.

[ SEE: $20000 Bounty Placed on Windows Flaws ]

I think what we're seeing here is how much the third-party brokers that buy flaws (and sometimes coordinate disclosure) are influencing the way vulnerabilities get reported and fixed by affected vendors.

More and more, I think hackers are going to places like iDefense's VCP, TippingPoint's Zero Day Initiative, WabiSabiLabi and the other lesser-known brokers to make money from their discoveries.

This basically means that a lot of vulnerabilities are never reported to a vendor and, by extension, never get fixed. See the ongoing RealNetworks drama for evidence of this.

Also, bear in mind that a lot of software vendors, including Microsoft, participate in the silent fixing of vulnerabilities, meaning that disclosure doesn't match the actual weakness/strength of a software product.

Am I missing anything? What do you think is behind this flaw count reduction?

More from Rich Mogull, Pete Lindstrom and Larry Dignan.