For the first time since people started keeping track of this stuff, 2007 saw a noticeable decline in publicly reported security vulnerabilities.
In fact, according to data from IBM ISS X-Force, there was a 5.4 percent decline in new vulnerability disclosures from the previous year, a drop that could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.
Here’s the chart:
As you can see, 2005 and 2006 saw huge jumps (approximately 41 percent each year) that were well above the historical average (27 percent a year), according to X-Force internal statistics.
Although there was a decrease in overall vulnerabilities, the company said high priority vulnerabilities increased by 28 percent, suggesting that researchers could simply be focusing on the sometimes more difficult, high-priority finds.
[ SEE: $20000 Bounty Placed on Windows Flaws ]
I think what we’re seeing here is how much the third-party brokers that buy flaws (and sometimes coordinate disclosure) are influencing the way vulnerabilities get reported and fixed by affected vendors.
More and more, I think hackers are going to places like iDefense’s VCP, TippingPoint’s Zero Day Initiative, WabiSabiLabi and the other lesser-known brokers to make money from their discoveries.
This basically means that a lot of vulnerabilities are never reported to a vendor and, by extension, never get fixed. See the ongoing RealNetworks drama for evidence of this.
Also, bear in mind that a lot of software vendors, including Microsoft, participate in the silent fixing of vulnerabilities, meaning that disclosure doesn’t match the actual weakness/strength of a software product.
Am I missing anything? What do you think is behind this flaw count reduction?
More from Rich Mogull, Pete Lindstrom and Larry Dignan.