ISS: Vulnerability counts fall in 2007; Do you buy it?

IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

Here's the data in a chart as disclosed in the ISS blog:

iss.png

Feel safer yet? You shouldn't.

ISS says that the decline is a statistical anomaly because the growth in vulnerabilities was large in 2005 and 2006. The 2007 decline could be just a statistical correction in an uptrend. ISS also notes that "although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds."

I reckon that ISS' explanations are off on all counts. Vulnerabilities aren't down--disclosure is down. So where are these vulnerabilities going? Here are three not so comforting possibilities:

  • Hackers are selling vulnerabilities instead of disclosing them;
  • Hackers are banking vulnerabilities for later;
  • Or these vulnerabilities aren't disclosed and quietly patched. If a vulnerability is never disclosed and patched on the fly would you ever notice?

In any case, there's a lot happening under this surface data. Unfortunately, it'll take a few more years to see where the vulnerability trends lie.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All