Published vulns are declining - Good or bad?

Apperently, the growth of the number of disclosed vulnerabilities are declining. As usuall, these kind of statistics follows with alot of speculations of what this means for security. A common idea is that fewer disclosed vulnerabilities must mean we are more secure, right?

While at it, let me speculate some too. From a hackers perspective, the most valuable vulnerability is the one no-one else knows, right? Such a vulnerability, if in the “right” (from our perspective, wrong) piece of code, would let a hacker walk in through the front door of many targets. With money to gain from stealing company secrets, identity information and credit card details, it’s relatively obvious that vulnerabilities themselves have more value today than earlier. The decline in disclosed vulnerabilities could just as easily be a result of an increased care, focus and determination within the underground. For use in targeted, more sophisticated attacks. There is no easy way for us to know exactly, and that is why drawing conclusions of the state of security from statistics of vulnerabilities is far to simplistic.

This kind of mindset reminds me of a speech I heard from the CSO of a large financial company here in Sweden: “We measure our security on the number of security incidents we have a year”. I instantly thought, “That says nothing. How hard are you looking?”.