According to IBM’s ISS (via eWeek), the number of publicly reported vulnerabilities dropped in 2007.

Pete Lindstrom cautiously (unusual for him) wonders if this means we’re over the hump.

I wanted to pick on Pete, but he was cautious enough in his wording that I don’t get to go all crazy and have too much fun at his expense. Here’s what I think is going on:

  1. More researchers sell vulnerabilities. There is a big market, and I’m not just talking about the Zero Day Initiative or other “public” programs. Both good guys and bad guys are quietly buying them up.
  2. Some researchers report vulnerabilities and don’t disclose them in public. I know at least a few who leave it up to the vendor to reveal any details.
  3. Some irresponsible researchers and bad guys just pass them around in the dark, never issuing a disclosure. I suspect a fair few of these make it into the light eventually.
  4. There is high risk to the researcher in disclosing web application vulnerabilities, since that’s effectively hacking someone’s site and is rarely, if ever, legitimate (or legal).

There is a lot of money involved in security research these days. Some of it good, some of it bad. Also, some researchers just don’t want to deal with the hassles and ugly tactics of certain vendors, while others don’t feel the need to disclose in public.

Overall, the landscape for reporting has changed in big ways over the past couple years, but I highly doubt the lower numbers are in any way related to an actual reduction in code vulnerabilities across the industry.


p style=”text-align:right;font-size:10px;”>Technorati Tags: