What's Behind Drop in 2007 Vulnerability Counts?

By Ryan Naraine  |  Posted 2008-02-05 Print this article Print

For the first time since people started keeping track of this stuff, 2007 saw a noticeable decline in publicly reported security vulnerabilities.

In fact, according to data from IBM ISS X-Force, there was a 5.4 percent decline in new vulnerability disclosures from the previous year, a drop that could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.

Here's the chart:


As you can see, 2005 and 2006 saw huge jumps (approximately 41 percent each year) that were well above the historical average (27 percent a year), according to X-Force internal statistics.

Although there was a decrease in overall vulnerabilities, the company said high priority vulnerabilities increased by 28 percent, suggesting that researchers could simply be focusing on the sometimes more difficult, high-priority finds.

[ SEE: $20000 Bounty Placed on Windows Flaws ]

I think what we're seeing here is how much the third-party brokers that buy flaws (and sometimes coordinate disclosure) are influencing the way vulnerabilities get reported and fixed by affected vendors.

More and more, I think hackers are going to places like iDefense's VCP, TippingPoint's Zero Day Initiative, WabiSabiLabi and the other lesser-known brokers to make money from their discoveries.

This basically means that a lot of vulnerabilities are never reported to a vendor and, by extension, never get fixed. See the ongoing RealNetworks drama for evidence of this.

Also, bear in mind that a lot of software vendors, including Microsoft, participate in the silent fixing of vulnerabilities, meaning that disclosure doesn't match the actual weakness/strength of a software product.

Am I missing anything? What do you think is behind this flaw count reduction?

More from Rich Mogull, Pete Lindstrom and Larry Dignan.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel