2007 Vulnerability Disclosure Rates
Earlier this week X-Force
stats from the upcoming 2007 threat report. I was reading with
interest some of the Web responses to the high-level data –
particularly the conclusions people had come to – including the
dramatic leap of saying that vulnerabilities had gone down because
people were now selling them. Personally, I doubt that the
commercial aspects of buying and selling vulnerabilities have
anything but a marginal effect on the volume of disclosures last
As a quick recap, 2005 and 2006 both saw year-on-year increases
in new vulnerabilities of around 40%. For 2007, the year-on-year
figure was a 5.4 percent decrease – however high-impact
vulnerabilities rose by 28 percent.
Based upon some of the comments I observed, a few people didn’t
really understand that X-Force were talking about the rate of
increase. That is to say there were over six and a half thousand
brand new – never seen before – vulnerabilities added to the tens of
thousands that businesses already have to protect themselves
against. In that context, a 5.4 percent decrease can hardly deliver
much good news – but I suppose it is better than an increase.
Some people also assumed that this is the first time that the
year-on-year rate of new vulnerability disclosures has decreased. In
fact, X-Force have been tracking vulnerability disclosure since 1995
and there have been other years where rates have dipped, but the
graph shown only goes back to the start of millennium – hence the
I guess the question for many people is “why the decrease?”
Here are my thoughts on what has probably influenced this
marginal decrease in the rate of public disclosures (in order of
- Decreasing Appeal – by that I mean, the
disclosure numbers have become so large that finding a
vulnerability has much less impact nowadays. Just a couple of
years ago, there was still a lot of kudos associated with being
able to say that you had discovered dozens of vulnerabilities.
That street-cred has diminished of late largely due to the high
volume of fuzzer-found vulnerabilities by what many would call
script-kiddies and the “statistical insignificance” of many
Don’t get me wrong, there are still a lot of professional (and
would-be-professional) bug-hunters seeking out new
vulnerabilities. However, to differentiate themselves from the
fuzzing script-kiddies there’s been an increased emphasis on
only really pursuing high-impact vulnerabilities – i.e. bugs
that will stand out amongst the statistical hordes. This is
probably an influence on the percentage increase in high-impact
vulnerability disclosures in 2007.
- Vendor Improvements – in the way they test
and QA new product releases have matured. Sure, this year’s
top-10 vulnerable vendors probably looks much like any previous
year, but most have been improving how they test the security of
their products. It can be a little difficult to see because the
major vendors are constantly releasing new software. If you take
a look at the volume of products they supported throughout 2007
(both new products released in 2007 and previous years “current”
product portfolios), you’ll probably notice that each had more
software than ever before.
However, the vast majority of software isn’t produced by the
top-10 vendors – so John Doe’s auto-search PHP-scripted portal
is unlikely to have been caught up in the “test the security
before you ship it” movement.
- Professional bug-hunters – have
increasingly achieved what they sought – i.e. to get noticed,
and be paid by the vulnerable vendors themselves. I know
literally hundreds of reverse-engineers and researchers that
have great track records for finding vulnerabilities. Just about
all of them are now employed as full-time security consultants –
selling their skills to the vendors of the software they used to
publicly disclose vulnerabilities in.
Just about all of them drove the “revolution” in security
testing and QA back in 2004/2005, and now contract their skills
to the vendors – driving the improvements from within. I guess a
regular salary beats a few disclosures on Bugtraq.
Now don’t conclude that these professional bug-hunters aren’t
still finding new vulnerabilities outside their vendor
contracts. They still are. However, the volume of new
discoveries is less – due to a mix of finding the time necessary
to do the research, and only really pursing the juicy
high-impact vulnerabilities that would improve their reputation
(and consequently their consulting rates).
- Vulnerability purchase programs – have
helped weed out a lot of the “lame” vulnerabilities and add an
additional step (and time delay) to the vulnerability disclosure
process. I think that many of the would-be-professional
bug-hunters have found that, in order to earn money from their
bugs, they have to do more work than just saying “if I do this,
the application causes a stack overflow”.
To sell their vulnerability, they have to prepare more
information about their “security” flaw – all this takes time
and effort. In addition, by going through this information
gathering process, it becomes easier to uncover the exploit
impact of the vulnerability – which probably causes more than a
few would-be-professionals to go to the additional effort of
proving that their “DoS” discovery could really be a reliable
remote-access vulnerability (i.e. worth more money).
Obviously we’ll all be watching how vulnerability disclosures
pan-out in 2008. I’m sure we’d all like to see the disclosure rate
to continue to drop. However, there are a lot of dynamics to the
vulnerability disclosure business and year-on-year rates have done
unexpected things before.
Since so much of bug hunting is now tool-based using automated
fuzzers, any substantial improvement in tool quality during 2008
could cause the total number of disclosures to sky rocket.