A Slowdown in Vulnerability Disclosure?
Posted by Gunter Ollmann on May 24, 2007 at 11:05 PM EDT.

It’s interesting to note that the total number of vulnerabilities publicly disclosed so far this year has only increased by 4.7 percent over the same period in 2006 – not nearly as bad as the 39.5 percent annual increase observed last year (2006 vs. 2005).

What’s going on? Is this the beginning of the end for public vulnerability disclosure?  Somehow, I don’t think so.

At first glance, there would appear to be a number of factors influencing this rather “slow” start to 2007.
(A) Microsoft’s Vista operating system and new Office 2007 suite have finally implemented a number of security advances that have prevented many classic bugs from evolving into to full-blown security vulnerabilities.  While not bullet proof, these advances have raised the bar against some of the more popular vulnerability discovery techniques.  Dedicated security researchers and reverse engineers are still finding vulnerabilities, but it’s no longer quite so easy for a newbie to dive in and find a seam of golden opportunities just by pointing a fuzzer at something.

(B) Continuing the Vista theme, new 2007 versions of software now “Vista Compatible” have been a little slower than anticipated in coming to market.  Whilst new vulnerabilities are being discovered in the versions that have been released, two factors are affecting their prompt public disclosure:
     (a) The Vista operating system is helping reduce their exploitability,
     (b) It normally takes several months (or years) for vulnerabilities to be fixed by vendors.

(C) The growing thirst of commercial entities to purchase new vulnerabilities directly from the discoverer prior to any disclosure has resulted in multiple channels for financial reward that may not necessarily lead to a prompt public disclosure (if ever).

(D) A global demand for professional security consultants capable of discovering new vulnerabilities and reverse engineering products for the vendors themselves has meant that much of the ‘better’ talent is now well compensated for any new discoveries in other ways – not to mention the fact that any new vulnerabilities which are discovered quickly become the property of the respective client/vendor, and may just be silently fixed in standard patch release cycles without any public disclosure.

(E) There appears to be a growing social stigma associated with “climbing up the ranks” through the bulk discovery of vulnerabilities using fuzzers.  It used to be cool to say you had discovered 100 vulnerabilities.  Nowadays people depreciate that number based upon how many of those were SQL Injection or associated with PHP apps.

So, does that mean that the public disclosure rate for 2007 isn’t going to pick up after all?  Well, based upon previous years, disclosure volumes generally pick up in the later stages of the year anyway.  Combine that with those vulnerabilities currently being fixed in “Vista compatible” versions and now working through way through multiple vendors QA teams, then we’re still more than on track for another record-breaker of a year.  Like it or not...
    Copyright 2001-2007 © Gunter Ollmann