Skip to content

Bit9

← Back to Blog
17 Nov 2010

Reported Vulnerabilities: Quality versus Quantity

Harry Sverdlove

A lot of buzz has been generated by our annual report on applications with the most reported vulnerabilities. I wanted to provide some further context as data is always subject to interpretation. We encourage honest and open disclosure by product vendors of security vulnerabilities (and their remediation when available). Much of the data provided to the NIST NVD is reported by the vendors themselves, and we applaud this honesty.

While we analyzed the volume and severity of vulnerabilities reported in 2010, it also useful to understand what we did not analyze, as it is not available in the NVD. How many of the vulnerabilities were self-reported (by the vendors themselves) versus externally reported? What was the average time-to-fix (which requires knowing when a vulnerability was actually “known” to the vendor versus when it was reported to NIST)?  Was the reported vulnerability a single issue or a roll-up of multiple issues? You can’t really compare who is #1 on our list to #10, for example, without further context.

In fact, companies such as Google and Mozilla run incentive programs where people who report new vulnerabilities can actually get paid. By intent, such programs may lead to higher numbers of reported vulnerabilities, while also leading to more secure products. Reporting guidelines also vary – some vendors may report all vulnerabilities internally found, while others may not. In these regards, the products toward the top of our list may in fact be more secure or present less risk – IF you are keeping your applications up to date.

And that is the real point – the applications in our list are present on almost every desktop, and on average across the list, more than one high severity vulnerability is found (and often fixed) every day. Whether you are talking about your personal computer or you are managing hundreds of corporate endpoints, be aware and be diligent. Know what versions of products you are running and update them regularly. Apply best endpoint security practices and security products to protect yourself when applications have not been patched and for the next vulnerability which might be only a day away.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US