The DoB (Date of Birth) of a Vulnerability

Once every now and then I see reports mentioning the decrease or increase of vulnerabilities. Most of the time, these statements are based from statistics of publically announced vulnerabilities during a specific time period, which can make you wonder - when is a vulnerability actually born, and when is it dead? I think whenever the vulnerability is fixed, i.e. patched, answers the second question and here is a good answer to the first one:

DOB = The “date of birth” of the vulnerability. For software manufacturers, this is the date of first release to users. For enterprises, this is the date of implementation of the software that has the vulnerability in question.

We shouldn’t be so focused on statistics of publicised vulnerabilities since they don’t measure the existence of vulnerabilities, but more likely the effort in finding them. The only way we can decrease the total amount of vulnerabilities are to get rid of them, i.e. by patching. Likewise, the only way we can increase the total amount of vulnerabilities is to add code with vulnerabilities, i.e. create new insecure applications (or perhaps a patch?). Since patches usually follows from vulnerability annoncements that should mean that more vulnerability disclosures means more patches which means more secure software. So, shouldn’t we be conserned if publically announced vulnerabilities drops?

This entry was posted on November 27th, 2007 and is filed under vulnerability, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.